Heads up! - Bash RCE Vulnerability

Discussion in 'Business & Enterprise Computing' started by millsy_c, Sep 25, 2014.

  1. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    Environment variables in Bash can be used to inject shell commands
    https://access.redhat.com/security/cve/CVE-2014-6271

    If your CGI scripts are configured to call bash, it may be possible for an attacker to execute commands as the HTTPD user.

    Apparently the patch is bypassable too.

    https://twitter.com/Newlog_/status/514918732561645568

    Note this affects anything pretty much using bash, I've seen a few people show Android and OSX as being vulnerable to this too.

    https://twitter.com/byt3bl33d3r/status/514916441708298240/photo/1
    https://twitter.com/Viss/status/514913098046521345/photo/1

    Keep an eye on your boxen!
     
  2. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    Apparently a metasploit module has been released, so script kiddies will be all over that.

    *edit* It's just a scanner, but they're not exactly hard to turn into exploits considering how relatively trivial this is.
     
    Last edited: Sep 25, 2014
  3. GreenBeret

    GreenBeret Member

    Joined:
    Dec 31, 2001
    Messages:
    19,370
    Location:
    Melbourne
    The bypass in the twitter is filtered, it doesn't work.

    All my boxes were patched overnight by puppet (configured to apply security updates automatically). Should be alright... :p
     
  4. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    Good to hear :thumbup:

    Unfortunately I'm hearing a lot of people saying they're in discussion over how they'll roll it out.
     
  5. Swathe

    Swathe (Banned or Deleted)

    Joined:
    Mar 23, 2007
    Messages:
    2,512
    Location:
    Rockhampton
    Patched my debian boxes, worked as expected.
     
  6. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,698
  7. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    I quite like #shellshock which has been floating around a fair bit on twitter.
     
  8. lavi

    lavi Member

    Joined:
    Dec 20, 2002
    Messages:
    4,003
    Location:
    Brisbane
  9. GreenBeret

    GreenBeret Member

    Joined:
    Dec 31, 2001
    Messages:
    19,370
    Location:
    Melbourne
  10. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,413
    Location:
    Canberra
    if i understand this correctly - any forward facing service that you can get to set an env variable, that will be parsed ultimately by Bash (regardless of the user running bash) is vulnerable here?
     
  11. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,698
    Thats my understanding of it. the command will run as whoever called it (aka, the owner of the httpd process).

    http://seclists.org/oss-sec/2014/q3/650

    from the article above

    so you can stick some stuff in a http request header, send it to a vulnerable server and have the server execute your code (which could then be used to exploit local vulnerabilities and root the box)
     
  12. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    4,766
    quickest test i have found

    >env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    vulnerable
    this is a test

    >env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test


    but yeah we are patching our stuff at the moment, it's insane how many devices use bash in some way or form.
     
  13. Alationever

    Alationever Member

    Joined:
    Jun 10, 2014
    Messages:
    55
    It hasn't been a great year for free software's reputation.
     
  14. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,698
    and the followup bug #aftershock...

    https://shellshock.detectify.com/ has a detection tool, I'm not sure how accurate it is though, I've got an apppliance that I know bash is vulnerable on... but it fails (it may not use mod_cgi though).
     
  15. GreenBeret

    GreenBeret Member

    Joined:
    Dec 31, 2001
    Messages:
    19,370
    Location:
    Melbourne
  16. GreenBeret

    GreenBeret Member

    Joined:
    Dec 31, 2001
    Messages:
    19,370
    Location:
    Melbourne
    Reputation among whom?

    Heartbleed and this are serious bugs, but the way they were discovered, then patched rapidly is exactly how free software works.

    Now, if the patch doesn't get rolled out rapidly to the required boxes, then the sysadmins / vendors are to blame. That goes for any platform.
     
  17. bsbozzy

    bsbozzy Member

    Joined:
    Nov 11, 2003
    Messages:
    3,924
    Location:
    Sydney
  18. GreenBeret

    GreenBeret Member

    Joined:
    Dec 31, 2001
    Messages:
    19,370
    Location:
    Melbourne
    Read my previous post and test the code against your RHEL bash.

    Or read your own link esp the update section: the patch is incomplete.

    I've already rolled out the previous patch through automatic updates.
     
  19. OP
    OP
    millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
  20. -Antiskeptic-

    -Antiskeptic- Member

    Joined:
    Aug 14, 2006
    Messages:
    956
    Location:
    Reservoir, VIC

Share This Page