Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

SHELLSHOCK!

leave a comment »

758f00996e876b8d3dd7db3b3543426d

Hey kids!

I just thought I would drop this stock email for you all to use to splain to your execs the problem of SHELLSHOCK and that it is IMPORTANT! I tried to wordsmith for the exec set in here and the links go right to pertinent blog posts and the CVE from NIST. Just a heads up I just saw that F5 BIG-IP is also in fact vulnerable to this attack so WHEEEEE!

Smoke em if you got em…

K.

UPDATE: Looks like SUID attack may be possible too…

Screenshot from 2014-09-25 08:09:17

Email Text:

All,

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting or html for example. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. This is an important vulnerability that could lead to larger compromise of our environment!

The short answer here about this vuln is that if you are vulnerable an attacker can use random code to have your system spit out data that you don’t want available such as etc password files etc.

Needless to say this is of a HIGH importance and rates a 10 on the NIST scale!

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271

https://t.co/RprJoBGl7s

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html?m=1

How to test for this vulnerability:

env X=”() { :;} ; echo busted” /bin/sh -c “echo stuff”

If you get “busted“ back you are in fact vulnerable.

 

REMEDIATIONS:

https://access.redhat.com/solutions/1207723 Red Hat recommendations

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. ~Troy Hunt

Another concern here is this.. Other appliances that are at risk;

The bigger worry is the devices with no easy patching path, for example your router. Short of checking in with the manufacturer’s website for updated firmware, this is going to be a really hard nut to crack. Often routers provided by ISPs are locked down so that consumers aren’t randomly changing either config or firmware and there’s not always a remote upgrade path they can trigger either. Combine that with the massive array of devices and ages that are out there and this could be particularly tricky. Of course it’s also not the sort of thing your average consumer is going to be comfortable doing themselves either. ~Troy Hunt

Another option is to remove BASH and replace it with something else;

“Other more drastic options include replacing Bash with an alternate shell implementation or cordoning off at-risk systems, both of which could have far-reaching ramifications and are unlikely to be decisions taken lightly. But that’s probably going to be the nature of this bug for many people – hard decisions that could have tangible business impact in order to avoid potentially much more significant ramifications.” ~Troy Hunt

 

DETECTION OF COMPROMISE:

Basically there is no means to do so effectively unless perhaps you are capturing all packets…

This can be hard to determine if there’s no logging of the attack vectors (there often won’t be if it’s passed by HTTP request header or POST body), but it’s more likely to be caught than with Heartbleed when short of full on pcaps, the heartbeat payloads would not normally have been logged anywhere. ~Troy Hunt

The real problem here is that this exploit set is still being worked out because it’s kinda modular. What I mean is that if you can get random code to work then you can place exploit code in there and get 0day to complete the job. So this is an evolving threat and MUST be taken seriously. Mitigation strategies should be worked out in the environment and all due diligence should be followed on keeping up with the intelligence on this vulnerability and what is being seen in the wild.

Written by Krypt3ia

2014/09/25 at 11:14

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: