Shellshock, i.e. the Bash Bug Vulnerability Information

What is the Shellshock vulnerability?

On Wednesday, security researchers disclosed a vulnerability in the Bash shell (CVE-2014-6271) that allows an attacker to execute code remotely by simply setting an environment variable on the target machine. Unfortunately, using environment variables to pass user-controlled data to the Bash shell is not uncommon for web applications. For example, CGI servers use environment variables to provide underlying scripts with HTTP header information, including attacker-controlled fields like ‘Cookie’, ‘Host’, and ‘Referer’. Weaponized versions of this vulnerability are already appearing in the wild. The folks over at TrustedSec have also released a proof-of-concept that uses a malicious DHCP server to execute code when a client renews its IP address.

Who is affected?

Any system with a modern version of Bash is likely affected. Most flavors of Linux as well as OSX have vulnerable versions of Bash installed by default, though many Linux vendors have released a patch to fix the vulnerability. More concerning is the array of embedded devices that run Bash and have no easy update mechanism.

Out of the box, it appears that the vulnerability is more easily exploited on Red Hat machines than Debian based systems, due to ‘/bin/bash’ being the default system shell on those machines (as opposed to ‘/bin/dash’ on Debian). However, any web application that explicitly invokes a shell script with Bash (e.g. one starting with “#!/bin/bash”) is affected by the vulnerability.

Is my machine vulnerable?

To test if you have an affected version of Bash, run the following command:

 

env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

On a vulnerable machine, the output will look like:

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
still vulnerable : (

If Bash has been patched correctly, you will see instead:

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
echo vuln
cat: echo: No such file or directory


Are Pwnie Express devices affected?

Yes. Based on the proof-of-concepts released so far, our devices don’t provide an immediately apparent vector for exploiting the vulnerability remotely. However, all unpatched Pwnie devices have a vulnerable version of Bash and should be updated immediately. An updated version of Bash is available in the Kali Linux repositories. Performing a system update through the Pwnie UI (or running ‘apt-get update && apt-get install bash’ from the command line) should fix the vulnerability. We urge our customers to do so as soon as possible.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *