Digital World

Shellshock vulnerability could lay waste to the internet

By on September 29, 2014 at 8:10 am

See original content

Some server racksUpdated @ 8:10am, September 29: Another remote code execution vulnerability has been found in Bash. It is unrelated to the first Shellshock vulnerability, but it is essentially the same deal: It’s very easy to exploit, and allows attackers to execute arbitrary code on a remote computer. The patched version of Bash which fixed the initial Shellshock vulnerability (CVE-2014-6271) does not protect you against this new vulnerability (CVE-2014-6277 and CVE-2014-6278). The original story, which is still accurate and informative, remains below.

Original story

There’s a new internet-crippling zero-day vulnerability in town called Shellshock. It potentially affects around half of all websites on the internet (around 500 million), and millions or billions more internet-connected devices such as routers, smartphones. Unlike Heartbleed, which was quite hard to exploit properly, Shellshock can be exploited with just a couple of lines of code, giving just about anyone the ability to run arbitrary code on an affected computer. In simple terms, this means that it’s now relatively simple for anyone to gain unauthorized access to a large portion of the world’s computers, and download/extract a wide variety of sensitive details. Shellshock also has the potential to be turned into a worm — a self-replicating piece of code that automatically propagates to all Shellshock-vulnerable systems, potentially causing untold damage.

But before we get ahead of ourselves with various doomsday scenarios (and Shellshock really could be one of the worst bugs to ever hit the internet), let’s discuss what Shellshock actually is first.

What is Shellshock?

In technical terms, Shellshock is a vulnerability in a Linux (or *nix) program called Bash, with the formal designation of CVE-2014-6271. In the words of the US government’s NIST agency:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” (Emphasis added)
In simpler, non-technical terms, Shellshock is a vulnerability in a very popular program — Bash — that is present on almost every Linux-based computer and device in the world. If you’ve ever used the “command line” on a Unix-like system (Linux, Mac OS X, Android) then you were probably typing commands into a Bash shell. This vulnerability, which can be exploited via a number of routes (at least Apache and DHCP), allows an attacker to run code directly on the vulnerable system. It is very, very easy to craft these attacks — it’s basically as simple as writing a few lines of Bash shell script.

Dumping the contents of /etc/passwd on a Linux system, via the Shellshock Bash exploit

Who or what is vulnerable to Shellshock?

Bash, or GNU Bash to give its proper name, was created 25 years ago as a free replacement for Unix’s Bourne shell. It is distributed with just about every flavor of Linux, and it’s the default shell for Mac OS X. Every version of Bash for the last 25 years, up to and including version 4.3, is vulnerable to the Shellshock vulnerability.

Read: The NSA knew about and exploited the Heartbleed bug for ‘at least two years’ 

Merely having Bash installed on a system doesn’t make you vulnerable, however; the attacker needs some way to access Bash via the internet. In this case, the easiest route is through Apache, which has permission — via mod_cgi — to set environment variables. These variables would usually be used for cookies, referral URLs, and other “header” information. The Shellshock vulnerability allows actual commands to be executed, instead of just setting a few harmless variables. OpenSSH (sshd) may also provide a route in via Bash, but various exploits are still being explored.

To test whether a system is vulnerable, you can try popping open a shell/terminal and running this command:

env X="() { :;} ; echo you might be vulnerable" /bin/bash -c "echo hello"

Heartbleed logoIf “you might be vulnerable” pops up, your system has an exploitable version of Bash installed. This doesn’t mean that your system is vulnerable, though. Apple has already issued a statement saying that normal OS X users, despite having a vulnerable version of Bash, are not vulnerable. The situation is probably similar for Android: It has a vulnerable version of Bash, but actually exploiting it is probably quite hard. I don’t believe iOS is vulnerable.

If you run a Linux/*nix Apache web server, or if you use someone else’s server that also has Apache installed, you are vulnerable. Keep an eye out for an updated version of Bash, or other mitigations. For now, there isn’t really an easy mitigation — unless you know for sure that you don’t have any websites that use CGI, and can simply disable mod_cgi. Most major distros have issued a patched version of Bash — use apt-get, yum, etc. to obtain it.

As far as normal people are concerned, the most pressing issue is that your DSL/cable router may also be vulnerable (most consumer routers run an embedded version of Linux, and a CGI-capable web server) — and if a hacker can access your router, it can then probably gain access to other resources on your local network (shared folders and the like).

If you’re one of the 18 people in the world who uses Linux as a desktop OS, and you also run the Apache web server, you are probably vulnerable.

Rather amusingly, this is one of the few cases where Windows isn’t vulnerable (unless you have Bash installed via Cygwin, but very few people do). Of course, you might still be in trouble if you have Windows machines sharing a network with some vulnerable Linux boxes.

How can you protect yourself against Shellshock?

Long-term, just like Heartbleed, the only real solution for Shellshock is to install a patched version of Bash. For server admins, this shouldn’t be too difficult, though there will be a lot of computers to update. For normal people, the real concern will be updating any and all devices that run some kind of Linux-flavored operating system and have a vulnerable version of Bash. At the very least, this will probably mean a lot of wireless routers need to be patched. Other smart and internet-of-things (IoT) devices may also need to be patched: Smart TVs, smart fridges, WiFi-connected thermostats, and any similar household or office doodads.

Unfortunately, many of these devices were not designed to be updated easily. Many smaller, embedded devices are of the “fire and forget” variety, and many more will be

Amusingly enough, our best hope for mitigating Shellshock quickly is if a white hat hacker creates a worm that uses the Shellshock vulnerability to automatically spread across the internet, patching vulnerable computers and devices as it goes.

Keep your eyes peeled for further updates. We’re still very early on in Shellshock’s lifecycle. I expect we’ll have a whole host of new attack vectors and repercussions to report on by the end of the day.