And it looks like it’s been a busy week in Information Security where everyone seems to be pretty paranoid regarding CVE-2014-6271 publicly named “ShellShock”. And of course, you should be:
Bash, the most-used shell interpreter for Linux and most Unix systems like OS X, suffers from a vulnerability that gives an attacker the ability to execute arbitrary commands because of Bash not correctly processing environment variables. And it’s worst: under specific situations, it is possible to remotely exploit this vulnerability.
How can this be possible ?
Incredibly, Bash is not correctly processing function definitions when they are stored in a variable. You can use the following Proof of Concept to check if your system is still vulnerable and as a demonstration of this behavior:
$ env var='() { ignore this;}; echo Vulnerableeee' bash -c ''
If vulnerable, you will see printed “Vulnerableeee” on your screen.
If patched, the follow output will appear:
bash: warning: var: ignoring function definition attempt bash: error importing function definition for 'var'
How can an attacker exploit this ?
There are two ways in order to exploit this vulnerability: an authenticated user is needed in order to exploit this on SSH, but there are variables like HTTP/CGI which make remote code execution over the network possible, making multiple areas of exploitation.
A quick Google Dork will reveal that using HTTP/CGI for shell scripts is widely used -more than million results for this search-:
This inmediatelly reminded me of a text by Leon Juranic from DefenseCode which talked about how Unix wildcards can gone really wild! A must-read, I must say.
Updates for all major distributions have been release, so go ahead and update Bash ASAP!
C ya l8r!