Shell Shock – The Bash Vulnerability
BASH (Baurne Again Shell)
Bash is the shell, or command language interpreter, that will appear in the GNU operating system. Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification. Bash is quite portable. It uses a configuration system that discovers characteristics of the compilation platform at build time, and may therefore be built on nearly every version of UNIX. Ports to UNIX-like systems such as QNX and Minix and to non-UNIX systems such as OS/2, Windows 95/98, and Windows NT are available.
Here is a short list of feature available in bash:
- History and Command Re-entry
- Job Control
- Shell Functions and Aliases
- Arrays
- Arithmetic
- Brace Expansion
- Substring Capabilities
- Expanded I/O Capabilities
- Command Timing
- Editing and Completion etc..
Shell Shock:
The Bash vulnerability, now dubbed by some as “Shellshock,” has been reportedly found in use by an active exploit against Web servers. A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,”
The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Examples of exploitable systems include the following:
- Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
- Certain DHCP clients
- OpenSSH servers that use the ForceCommandcapability
- Various network-exposed services that use Bash
How to check a vulnerable application for shell shock:
There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
vulnerable
this is a test
Fixing Vulnerability:
The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash. The following subsections cover updating Bash on various Linux distributions, including Ubuntu, Debian, CentOS, Red Hat, and Fedora.
APT-GET: Ubuntu / Debian
Update Bash to the latest version available via apt-get:
sudo apt-get update && sudo apt-get install –only-upgrade bash
YUM: CentOS / Red Hat / Fedora
Update Bash to the latest version available via the yum:
sudo yum update bash
Note: Now check your system vulnerability again by running the command
For more information refer: CVE-2014-6271
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.
References:
http://www.zdnet.com/shellshock-how-to-protect-your-unix-linux-and-mac-servers-7000034072/
http://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-bug-apple-says/
Written By,
Attack & PenTest Team,
Varutra Consulting