Update on CVE-2014-6271: Vulnerability in bash (shellshock), (Thu, Sep 25th)

(this diary will be updated with links to relevant resources shortly)

Yesterday, a vulnerability in bash was announced, that was originally found by,Stephane Schazelas. The vulnerability allows for arbitrary code execution in,bash by setting specific environment variables. Later, Travis Ormandy released,a second exploit that will work on patched systems, demonstration that the,patch released yesterday is incomplete.

What is the impact of the vulnerability?

At first, the vulnerability doesn’t look all that serious. Executing commands is what bash is used for. However, in this case, code can be executed without,the user’s intend by setting an environment variable.

The most problematic scenario is bash scripts executed via cgi-bin. The CGI,specification requires the web server to convert HTTP request headers supplied,by the client to environment variables. If a bash script is called via cgi-bin,,an attacker may use this to executed code as the web server.

Other, less likely scenarios involve ssh, which can set environment variables,,but they would have to be set on the server in a configuration file. DHCP , , , clients may in some cases executed bash scripts and use environment variables,supplied by the server. This case may be exploitable if the user connects to,an untrusted DHCP server (“cofeehouse wifi”).

Should I apply the patch?

Yes. The patch will fix one aspect of the vulnerability. However, the patch is not complete and does not completely fix the vulnerability. We are not aware,of any side effects of the patch.

What are my other options? What else should I do?

Since the patch is incomplete, you should try to implement additional measures,to protect your systems. Various Intrusion Detection System and Web Application,Firewall vendors have released rules to block exploitation. However, realize,that these rules may be incomplete as well. Many rules I have seen so far,just look for the string “() {“, which was present in the original proof of,concept exploit, but could easily be changed for example by adding more or,different white spaces.

You should switch your default shell to an alternative like ksh or sh. But this,will likely break existing scripts. Different shells use slightly different,syntax.

How do I find vulnerable systems?

If you can log on to the system, you can use one of these test strings:

To check if you are patched, you can use the original test string:
, env x='() { ;;}; echo vulnerable’ sh -c “echo this is a test”

If you are patched, but want to demonstrate that you are still vulnerable, you
can use this command:
, env X='() { (a)=>’ sh -c “echo date”;
This command will return an error on a patched system, but it will still
create an empty file called “echo”.

There are various modules for vulnerability scanners to search for vulnerable systems. You can also use a quick Google search for likely vulnerable web servers:
filetype:sh inurl:cgi-bin site:[your domain]
This Google check my return shell scripts that use shells other then bash.

Be careful to check web servers in embeded systems like routers as they may,not only run bash scripts, but they may do so at elevated priviledges.

Are systems already being exploited?

We have seen reports of scans for the vulnerability.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.