Greetings to everybody.
Remember Heartbleed? Now there's something new:
http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-bot...
Noticed several times in log files of my server!
Best regards. Tom - sp2lob
Quick info on people who don't know what Shellshock is.
Due to a bug in bash it is possible to run shell commands as root through environmental variables (env). Now realise that software like dhclient uses env, CGI like PHP etc uses env to store host-header and get/post variables.
So in a nutshell, if someone sends the right request to your website, gets it pushed into env, they can run root commands on your linux/mac/bsd/cygwin(windows) server making it do all kinds of nasty stuff.
Or you join an open free wifi hotspot which is running a hacked dhcpd which then pushed commands through dhcp options to your computer causing it to run root commands because dhclient pushes them into env, making your computer download a rootkit and installing trojan making your computer into a zombie in a botnet. And all without you seeing it happen.
debian released an update for bash today please run "apt-get update && apt-get upgrade" on your debian systems
other distro's will probably be pushing out updates as well (but i am a debian junky)
73s Robbie ON4SAX
On Fri, Sep 26, 2014 at 10:26 PM, sp2lob sp2lob@tlen.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ Greetings to everybody.
Remember Heartbleed? Now there's something new:
http://www.wired.com/2014/09/hackers-already-using- shellshock-bug-create-botnets-ddos-attacks/
Noticed several times in log files of my server!
Best regards. Tom - sp2lob
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
PS
If you want to see if your system is vulnerable you can run the following commands in a shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed" env X="() { :;} ; echo busted" `which bash` -c "echo completed"
if you see "busted" followed by "completed" as output, you are vulnerable. If you only see "completed", you already got the patch for bash and are secure.
example:
unpatched:
root@ns5000179:~# env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
busted
completed
patched:
root@vps43313:~# env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
completed
73s
Robbie
ON4SAX
On Fri, Sep 26, 2014 at 10:34 PM, Robbie De Lise robbie.delise@gmail.com wrote:
Quick info on people who don't know what Shellshock is.
Due to a bug in bash it is possible to run shell commands as root through environmental variables (env). Now realise that software like dhclient uses env, CGI like PHP etc uses env to store host-header and get/post variables.
So in a nutshell, if someone sends the right request to your website, gets it pushed into env, they can run root commands on your linux/mac/bsd/cygwin(windows) server making it do all kinds of nasty stuff.
Or you join an open free wifi hotspot which is running a hacked dhcpd which then pushed commands through dhcp options to your computer causing it to run root commands because dhclient pushes them into env, making your computer download a rootkit and installing trojan making your computer into a zombie in a botnet. And all without you seeing it happen.
debian released an update for bash today please run "apt-get update && apt-get upgrade" on your debian systems
other distro's will probably be pushing out updates as well (but i am a debian junky)
73s Robbie ON4SAX
On Fri, Sep 26, 2014 at 10:26 PM, sp2lob sp2lob@tlen.pl wrote:
(Please trim inclusions from previous messages) _______________________________________________ Greetings to everybody.
Remember Heartbleed? Now there's something new:
http://www.wired.com/2014/09/hackers-already-using- shellshock-bug-create-botnets-ddos-attacks/
Noticed several times in log files of my server!
Best regards. Tom - sp2lob
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Hello Robbie et al.
Thank you for very valuable input! Fortunately my server shows only "completed"! BTW, I'm too Debian addicted, Hi!
Best regards. Tom - sp2lob
Greetings to everybody.
Shellshock still advancing:
180.186.121.254 - - [15/Oct/2014:13:04:01 +0200] "GET /cgi-bin/load.cgi HTTP/1.1" 404 478 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:02 +0200] "GET /cgi-bin/test.cgi HTTP/1.1" 404 478 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:03 +0200] "GET /cgi-bin/index.cgi HTTP/1.1" 404 479 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:03 +0200] "GET /cgi-bin/help.cgi HTTP/1.1" 404 478 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:04 +0200] "GET /cgi-bin/vidredirect.cgi HTTP/1.1" 404 485 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:04 +0200] "GET /cgi-bin/click.cgi HTTP/1.1" 404 479 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:04 +0200] "GET /cgi-bin/details.cgi HTTP/1.1" 404 481 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:05 +0200] "GET /cgi-bin/log.cgi HTTP/1.1" 404 477 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:05 +0200] "GET /cgi-bin/viewcontent.cgi HTTP/1.1" 404 485 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:06 +0200] "GET /cgi-bin/content.cgi HTTP/1.1" 404 481 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:07 +0200] "GET /cgi-bin/admin.cgi HTTP/1.1" 404 479 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:07 +0200] "GET /cgi-bin/userreg.cgi HTTP/1.1" 404 481 "-" "() { :;}; echo `echo xbash:test`" 180.186.121.254 - - [15/Oct/2014:13:04:08 +0200] "GET /cgi-bin/mailview.cgi HTTP/1.1" 404 482 "-" "() { :;}; echo `echo xbash:test`"
Above IP sent 13 variations of "test" untill I made new fail2ban trap rule.
Keep sharp lookout!
Best regards. Tom - sp2lob
Robbie;
On Fri, 2014-09-26 at 22:38 +0200, Robbie De Lise wrote:
If you want to see if your system is vulnerable you can run the following commands in a shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed" env X="() { :;} ; echo busted" `which bash` -c "echo completed"
Great tool! Thanks for sharing!
The first patch to bash fixed for the initial tests. Here is a test for the initial patched bash that showed another problem...
env X='() { (a)=>' sh -c "echo date"; cat echo
Prints the date if there is trouble.
Debian updated the stable distrib this morning to catch the new exploit.
Unfortunately there seems to be even more trouble coming: http://tinyurl.com/mzvcgbc
If you are running debian stable the default shell is dash which is safe but if you upgraded from an older release in stages (say etch->squeeze->wheezy) you may not be using dash.
ls -l /bin/sh
Check to see where the symlink points to.
to "fix" make sure dash is installed: sudo apt-get install dash then use the /etc/alternatives method to set it as the default: sudo update-alternatives --install /bin/sh sh /bin/dash 1 make sure it's set: sudo update-alternatives --config sh
Hand check this afterwards: ls -l /bin/sh should return: lrwxrwxrwx 1 root root 20 Sep 27 00:15 /bin/sh -> /etc/alternatives/sh ls -l /etc/alternatives/sh should return: lrwxrwxrwx 1 root root 9 Sep 27 00:15 /etc/alternatives/sh -> /bin/dash
To be safe I restarted my apache server and mail system after the change.
Finally check your password file to see if bash is being explictly used: grep bash /etc/passwd
If it is, I suggest you edit your password file so it uses /bin/sh after making the changes above.
If you are on a non-debian system you should search your vendors configuration to see how to change the default shell.
I don't particularily like dash but it's supposed to be safe. If you can't live without the features of bash you can just run it after logging in interactively.
Bob (N0QBJ)
"Brian n1uro@n1uro.ampr.org says:"
(Please trim inclusions from previous messages) _______________________________________________ Robbie;
On Fri, 2014-09-26 at 22:38 +0200, Robbie De Lise wrote:
If you want to see if your system is vulnerable you can run the following commands in a shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed" env X="() { :;} ; echo busted" `which bash` -c "echo completed"
Great tool! Thanks for sharing!
On 9/26/2014 1:34 PM, Robbie De Lise wrote:
Due to a bug in bash it is possible to run shell commands as root through environmental variables (env).
It's my understanding that the code would be executed as the user of the service in which the exploit was launched through (this is not necessarily limited to web servers, as KI6ZHD correctly mentions). So, for a HTTP-based attack, if your web server is running as 'nobody' or 'apache', the code will execute with those user permissions. Hopefully people aren't running their web servers as root.
I've had to patch quite a few machines over the past couple of days; a few of the older versions had to be taken care of with a compiler. As more complete patches are released, I guess I'll be doing it all over again.
In the meantime, may all your boxen stay clean and stable!
73,
Brett, WA7V
Thought I'd forward on an email I wrote to one of my technical lists as there is a lot of vague information out there at the moment.
--David KI6ZHD
Hey Everyone,
At first, I thought this issue was going to be pretty narrow for sites who still use CGI, etc. Looking more, I found this good summary page which shows it to be a rather large attack surface:
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.ht... -- What else? Oh, of course: the impact of this bug is an interesting story all in itself. At first sight, the potential for remote exploitation should be limited to CGI scripts that start with #!/bin/bash and to several other programs that explicitly request this particular shell. But there's a catch: on a good majority of modern Linux systems, /bin/sh is actually a symlink to /bin/bash!
This means that web apps written in languages such as PHP, Python, C++, or Java, are likely to be vulnerable if they ever use libcalls such as popen() or system(), all of which are backed by calls to /bin/sh -c '...'. There is also some added web-level exposure through #!/bin/sh CGI scripts, <!--#exec cmd="..."> calls in SSI, and possibly more exotic vectors such as mod_ext_filter. --
This page nicely shows one line scripts of how to demonstrate if you're vulnerable and if not, what is the expected output:
https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-...
Big providers running tools like Cpanel, etc are going to get caught up and there are several bots already exploiting this. Unfortunately, even with the newest patches available say at http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ things aren't completely resolved. This list seems to have the newest details on the issue from the primary developers so it needs to be monitored until a new patch makes it upstream:
http://www.openwall.com/lists/oss-security/2014/09/26/
Patch 0.26 is still not released which is required to completely close these holes. According to the above email list, this is turning out to be a much larger problem!
--David
-
Bob Brose -
Brett Mueller -
Brian -
David Ranch -
Robbie De Lise -
sp2lob