'Shellshock’ Threatens 500M Computers (Linux, MacOSX)

Ron Czapala

http://finance.yahoo.com/news/heartbleed-shellshock-threatens-500m-computers-194100743.html

The main problem is the location of the vulnerability – a small piece of software called Bash, which stands for Bourne-Again SHell. Bash is a fundamental element of many Unix-based operating systems – including many Linux distributions and Mac OSX. It’s the terminal where commands that are issued for controlling the system – installing software, monitoring networks, and executing code – are run.

If you’re on a Windows box, you’re not out of the woods, either. The servers of most sites that you visit run on Apache, which, as you’ve probably guessed by now, also uses Bash.

http://gizmodo.com/why-the-shellshock-bash-bug-could-be-even-worse-than-he-1639047786

http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/

The good news yesterday that some Linux distributions shipped patches for the bug yesterday has already been tempered by the discovery that those patches only partially dealt with potential attacks. In an update overnight, Red Hat said that it was developing a new patch, however, it is still advising users to apply the incomplete one for now

http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/

http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/

Because Shellshock is easy to exploit—it only takes about three lines of code to attack a vulnerable server—Lackey and other security experts think there’s a pretty good chance that someone will write a worm code that will jump from vulnerable system to vulnerable system, creating hassles for the world’s system administrators. “People are already exploiting it in the wild manually, so a worm is a natural outgrowth of that,” Lackey says.

To exploit the bug, the bad guys need to connect to software such as PHP or DHCP—which use bash to launch programs within the server’s operating system

Heater.

It's shocking I tell you, simply shocking.

Ah, no worries. It's fixed in Debian already. Even on the Raspebrry Pi. Debian Jessie is still vulnerable but that's not suppose to be on production machines.

It's shocking how fast those guys fix this kind of stuff:)

Ron Czapala

Heater. wrote: »

It's shocking I tell you, simply shocking.

Ah, no worries. It's fixed in Debian already. Even on the Raspebrry Pi. Debian Jessie is still vulnerable but that's not suppose to be on production machines.

It's shocking how fast those guys fix this kind of stuff:)

Let's hope it gets squashed quickly.

http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx#ixzz3EQsWZWQ0

First Shellshock botnet attacks Akamai, US DoD networks

Attackers have been quick to exploit the Shellshock Bash command interpreter bug disclosed yesterday by building a botnet that is currently trying to infect other servers, according to a security researcher.

The "wopbot" botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews.

"We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers," Gentili said.

Wopbot has so far launched a distributed denial of service attack against servers hosted by content delivery network Akamai, and is also aiming for other targets, according to Gentili.

"Analysing the malware sample in a sandbox, we saw that the malware has conducted a massive scan on the United States Department of Defence Internet Protocol address range on port 23 TCP or Telnet for brute force attack purposes," he said.

The US DoD network in question is the 215.0.0.0/8 range, with approximately 16.7 million addresses.

How to tell if you're vulnerable

http://www.pcmag.com/article2/0,2817,2469299,00.asp?kc=PCRSS03069TX1K0001121

Beyond Linux-based systems, Graham and Ars Technica report that Mac OS X Mavericks contains a vulnerable version of Bash.

To test if your version of Bash is vulnerable to this issue, Red Hat says to run this command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system responds with the following, then you're running a vulnerable version of Bash and you should apply any available updates immediately:

vulnerable

this is a test

"The patch used to fix this issue ensures that no code is allowed after the end of a Bash function," Red Hat reports. So rather than spitting out "Vulnerable," a protected version of Bash will spit out the following when you run the aforementioned command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash:
warning: x: ignoring function definition attempt bash: error importing
function definition for `x' this is a test

Heater.

Interesting. Whist the quotes you have there indicate networks are being scanned and DOSed it does not say that anyone is actually getting in with shell shock.

What I don't understand is where are these shell scripts that can be attacked?

On every web server I have ever worked with there was no shell scripting being used anywhere.

RDL2004

OMG! I'm vulnerable.

I have to update Linux?

Electrodude

It says versions 1.14 to 4.3 are vulnerable, but my bash 4.2 seems to be fine.

$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Ron Czapala

Apple says 'Shellshock' no risk to vast majority of Mac users

http://finance.yahoo.com/news/apple-says-shellshock-no-risk-145927782.html

Apple ships its computers so they are "safe by default," Evans said, which means that they are not vulnerable to remote attacks
unless users configure them for "advanced" Unix services.

Ron Czapala

Trend Micro Launches Free Protection for Shellshock a.k.a. Bash Bug

https://ca.finance.yahoo.com/news/trend-micro-launches-free-protection-175300921.html

Trend Micro's holistic strategy is to contain the vulnerability and build up defenses. This includes the distribution of tools to help IT administrators scan and protect servers, including web security and anti-malware tools to help protect their end-users.

For consumers:
Trend Micro Free Tool for PCs, Macs and Android devices: these free tools notify the end-user of a website Trend Micro has identified as being affected by the Bash vulnerability.
The tools can be accessed here: http://www.trendmicro.com/us/security/shellshock-bash-bug-exploit/index.html

Heater.

Electrodude,

Amazing!

$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
vulnerable
this is a test
heater@debian:~$ su
Password: 
root@debian:/home/heater# apt-get update
....
....
root@debian:/home/heater# apt-get upgrade
....
....
root@debian:/home/heater# exit
exit
heater@debian:~$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Just a couple of hours ago I was reading how this is not fixed in Debian Jessie. But BOOM there it is job done. That is shocking if you compare to how long it took to fix the old "Code Red" problem.

Beau Schwabe

Here is a proof of concept network attempt ...

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

Tor

Heater,
The Apache link is that if you call _any_ URL which runs any kind of cgi script, then Apache executes bash to provide environment variables. And that's where it is easy (before the patch) to get it to run any executable. Amazing really. I tried that when I secured a couple of web servers back home (the good thing about being a backup admin in a time zone 7 hours ahead is that I can jump in when the company is still at sleep). A curl one-liner.