26 Sep
2014
26 Sep
'14
4:26 p.m.
Greetings to everybody.
Remember Heartbleed?
Now there's something new:
http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-bo…
Noticed several times in log files of my server!
Best regards.
Tom - sp2lob
26 Sep
26 Sep
4:34 p.m.
Quick info on people who don't know what Shellshock is.
Due to a bug in bash it is possible to run shell commands as root through
environmental variables (env).
Now realise that software like dhclient uses env, CGI like PHP etc uses env
to store host-header and get/post variables.
So in a nutshell, if someone sends the right request to your website, gets
it pushed into env, they can run root commands on your
linux/mac/bsd/cygwin(windows) server making it do all kinds of nasty stuff.
Or you join an open free wifi hotspot which is running a hacked dhcpd which
then pushed commands through dhcp options to your computer causing it to
run root commands because dhclient pushes them into env, making your
computer download a rootkit and installing trojan making your computer into
a zombie in a botnet. And all without you seeing it happen.
debian released an update for bash today
please run "apt-get update && apt-get upgrade" on your debian systems
other distro's will probably be pushing out updates as well (but i am a
debian junky)
73s
Robbie
ON4SAX
On Fri, Sep 26, 2014 at 10:26 PM, sp2lob <sp2lob(a)tlen.pl> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Greetings to everybody.
Remember Heartbleed?
Now there's something new:
http://www.wired.com/2014/09/hackers-already-using-
shellshock-bug-create-botnets-ddos-attacks/
Noticed several times in log files of my server!
Best regards.
Tom - sp2lob
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
4:38 p.m.
PS
If you want to see if your system is vulnerable you can run the following
commands in a shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
if you see "busted" followed by "completed" as output, you are
vulnerable.
If you only see "completed", you already got the patch for bash and are
secure.
example:
unpatched:
root@ns5000179:~# env X="() { :;} ; echo busted" /bin/sh -c "echo
completed"
busted
completed
patched:
root@vps43313:~# env X="() { :;} ; echo busted" /bin/sh -c "echo
completed"
completed
73s
Robbie
ON4SAX
On Fri, Sep 26, 2014 at 10:34 PM, Robbie De Lise <robbie.delise(a)gmail.com>
wrote:
Quick info on people who don't know what
Shellshock is.
Due to a bug in bash it is possible to run shell commands as root through
environmental variables (env).
Now realise that software like dhclient uses env, CGI like PHP etc uses
env to store host-header and get/post variables.
So in a nutshell, if someone sends the right request to your website, gets
it pushed into env, they can run root commands on your
linux/mac/bsd/cygwin(windows) server making it do all kinds of nasty stuff.
Or you join an open free wifi hotspot which is running a hacked dhcpd
which then pushed commands through dhcp options to your computer causing it
to run root commands because dhclient pushes them into env, making your
computer download a rootkit and installing trojan making your computer into
a zombie in a botnet. And all without you seeing it happen.
debian released an update for bash today
please run "apt-get update && apt-get upgrade" on your debian systems
other distro's will probably be pushing out updates as well (but i am a
debian junky)
73s
Robbie
ON4SAX
On Fri, Sep 26, 2014 at 10:26 PM, sp2lob <sp2lob(a)tlen.pl> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Greetings to everybody.
Remember Heartbleed?
Now there's something new:
http://www.wired.com/2014/09/hackers-already-using-
shellshock-bug-create-botnets-ddos-attacks/
Noticed several times in log files of my server!
Best regards.
Tom - sp2lob
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
4:52 p.m.
Hello Robbie et al.
Thank you for very valuable input!
Fortunately my server shows only "completed"!
BTW, I'm too Debian addicted, Hi!
Best regards.
Tom - sp2lob
16 Oct
16 Oct
6:06 a.m.
Greetings to everybody.
Shellshock still advancing:
180.186.121.254 - - [15/Oct/2014:13:04:01 +0200] "GET /cgi-bin/load.cgi
HTTP/1.1" 404 478 "-" "() { :;}; echo `echo xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:02 +0200] "GET /cgi-bin/test.cgi
HTTP/1.1" 404 478 "-" "() { :;}; echo `echo xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:03 +0200] "GET /cgi-bin/index.cgi
HTTP/1.1" 404 479 "-" "() { :;}; echo `echo xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:03 +0200] "GET /cgi-bin/help.cgi
HTTP/1.1" 404 478 "-" "() { :;}; echo `echo xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:04 +0200] "GET
/cgi-bin/vidredirect.cgi HTTP/1.1" 404 485 "-" "() { :;}; echo `echo
xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:04 +0200] "GET /cgi-bin/click.cgi
HTTP/1.1" 404 479 "-" "() { :;}; echo `echo xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:04 +0200] "GET
/cgi-bin/details.cgi HTTP/1.1" 404 481 "-" "() { :;}; echo `echo
xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:05 +0200] "GET /cgi-bin/log.cgi
HTTP/1.1" 404 477 "-" "() { :;}; echo `echo xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:05 +0200] "GET
/cgi-bin/viewcontent.cgi HTTP/1.1" 404 485 "-" "() { :;}; echo `echo
xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:06 +0200] "GET
/cgi-bin/content.cgi HTTP/1.1" 404 481 "-" "() { :;}; echo `echo
xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:07 +0200] "GET /cgi-bin/admin.cgi
HTTP/1.1" 404 479 "-" "() { :;}; echo `echo xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:07 +0200] "GET
/cgi-bin/userreg.cgi HTTP/1.1" 404 481 "-" "() { :;}; echo `echo
xbash:test`"
180.186.121.254 - - [15/Oct/2014:13:04:08 +0200] "GET
/cgi-bin/mailview.cgi HTTP/1.1" 404 482 "-" "() { :;}; echo `echo
xbash:test`"
Above IP sent 13 variations of "test"
untill I made new fail2ban trap rule.
Keep sharp lookout!
Best regards.
Tom - sp2lob
26 Sep
26 Sep
11:14 p.m.
Robbie;
On Fri, 2014-09-26 at 22:38 +0200, Robbie De Lise wrote:
If you want to see if your system is vulnerable you
can run the following
commands in a shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
Great tool! Thanks for sharing!
--
73 de Brian Rogers - N1URO
email: <n1uro(a)n1uro.ampr.org>
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
27 Sep
27 Sep
1:53 a.m.
The first patch to bash fixed for the initial tests.
Here is a test for the initial patched bash that showed another problem...
env X='() { (a)=>\' sh -c "echo date"; cat echo
Prints the date if there is trouble.
Debian updated the stable distrib this morning to catch the new exploit.
Unfortunately there seems to be even more trouble coming:
http://tinyurl.com/mzvcgbc
If you are running debian stable the default shell is dash which is safe
but if you upgraded from an older release in stages (say etch->squeeze->wheezy)
you may not be using dash.
ls -l /bin/sh
Check to see where the symlink points to.
to "fix" make sure dash is installed:
sudo apt-get install dash
then use the /etc/alternatives method to set it as the default:
sudo update-alternatives --install /bin/sh sh /bin/dash 1
make sure it's set:
sudo update-alternatives --config sh
Hand check this afterwards:
ls -l /bin/sh
should return:
lrwxrwxrwx 1 root root 20 Sep 27 00:15 /bin/sh -> /etc/alternatives/sh
ls -l /etc/alternatives/sh
should return:
lrwxrwxrwx 1 root root 9 Sep 27 00:15 /etc/alternatives/sh -> /bin/dash
To be safe I restarted my apache server and mail system after the change.
Finally check your password file to see if bash is being explictly used:
grep bash /etc/passwd
If it is, I suggest you edit your password file so it uses /bin/sh after making
the changes above.
If you are on a non-debian system you should search your vendors configuration
to see how to change the default shell.
I don't particularily like dash but it's supposed to be safe.
If you can't live without the features of bash you can just run it
after logging in interactively.
Bob (N0QBJ)
"Brian <n1uro(a)n1uro.ampr.org> says:"
(Please trim inclusions from previous messages)
_______________________________________________
Robbie;
On Fri, 2014-09-26 at 22:38 +0200, Robbie De Lise wrote:
--
/~\ The ASCII | Bob Brose N0QBJ
\ / Ribbon Campaign | http://www.qbjnet.com/
X Help cure | mailto:bob@qbjnet.com
/ \ HTML Email | public key at http://www.qbjnet.com/key.html
There are only 10 types of people in the world: Those who understand binary, and those who
don't
If you want to see if your system is vulnerable
you can run the following
commands in a shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
Great tool! Thanks for sharing! 
26 Sep
26 Sep
5:38 p.m.
On 9/26/2014 1:34 PM, Robbie De Lise wrote:
Due to a bug in bash it is possible to run shell
commands as root through
environmental variables (env).
It's my understanding that the code would be executed as the user of the
service in which the exploit was launched through (this is not
necessarily limited to web servers, as KI6ZHD correctly mentions). So,
for a HTTP-based attack, if your web server is running as 'nobody' or
'apache', the code will execute with those user permissions. Hopefully
people aren't running their web servers as root.
I've had to patch quite a few machines over the past couple of days; a
few of the older versions had to be taken care of with a compiler. As
more complete patches are released, I guess I'll be doing it all over again.
In the meantime, may all your boxen stay clean and stable!
73,
Brett, WA7V
5:02 p.m.
Thought I'd forward on an email I wrote to one of my technical lists as
there is a lot of vague information out there at the moment.
--David
KI6ZHD
Hey Everyone,
At first, I thought this issue was going to be pretty narrow for sites
who still use CGI, etc. Looking more, I found this good summary page
which shows it to be a rather large attack surface:
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.h…
--
What else? Oh, of course: the impact of this bug is an interesting story
all in itself. At first sight, the potential for remote exploitation
should be limited to CGI scripts that start with #!/bin/bash and to
several other programs that explicitly request this particular shell.
But there's a catch: on a good majority of modern Linux systems, /bin/sh
is actually a symlink to /bin/bash!
This means that web apps written in languages such as PHP, Python, C++,
or Java, are likely to be vulnerable if they ever use libcalls such as
popen() or system(), all of which are backed by calls to /bin/sh -c
'...'. There is also some added web-level exposure through #!/bin/sh CGI
scripts, <!--#exec cmd="..."> calls in SSI, and possibly more exotic
vectors such as mod_ext_filter.
--
This page nicely shows one line scripts of how to demonstrate if you're
vulnerable and if not, what is the expected output:
https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code…
Big providers running tools like Cpanel, etc are going to get caught up
and there are several bots already exploiting this. Unfortunately, even
with the newest patches available say at
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ things aren't completely
resolved. This list seems to have the newest details on the issue from
the primary developers so it needs to be monitored until a new patch
makes it upstream:
http://www.openwall.com/lists/oss-security/2014/09/26/
Patch 0.26 is still not released which is required to completely close
these holes. According to the above email list, this is turning out to
be a much larger problem!
--David
3764
days inactive
3784
days old
8 comments
6 participants
participants (6)
-
Bob Brose -
Brett Mueller -
Brian -
David Ranch -
Robbie De Lise -
sp2lob