ShellShock Basics - Updated Oct 1st
As the mainstream media attempts to make sense of all the hype surrounding the latest security vulnerability, IT support staff are left to try to make sense of it all and determine what if anything needs to be done.
Background: Bash (aka Bourne-again Shell) is used as an interactive shell on most Unix-like operating systems. It comes by default on many popular distributions such as Ubuntu, OSX, and other Linux platforms.
The bug: One feature of the shell is to allow a user to set environment variables, unfortunately the bash shell does a poor job of interpreting these values and if the right sequence of characters is used, extra commands can be executed.
- Apparently introduced in the 1980's
- Initial NVD CVE - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
- Followup NVD CVE (incomplete patch) - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
- Mubix (Rob Fuller) has a repo of all the available PoC's - https://github.com/mubix/shellshocker-pocs
- OpenVPN vulnerable in certain configurations
- Metasploit modules available - https://github.com/rapid7/metasploit-framework/commit/38c8d9213162e95fdcdafd793514acd4010afa24
- Generic Python Reverse Shell Tool - http://pastebin.com/166f8Rjx
- Linux ELF malware exploits in the wild - http://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html
- cPanel CGI Scripts - http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html
- CERT List of Vendors Affected - http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=252743&SearchOrder=4
- Nmap tests
- Masscan tests
- Apple released a patch for OSX - software update
- The first patch was apparently incomplete (but did block remote code execution
- Cisco confirming ASA and other products affected - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
- Word of Oracle Solaris affected - https://community.oracle.com/thread/3612825
- Rumours of Apple's position - http://www.imore.com/apple-working-quickly-protect-os-x-against-shellshock-exploit
- Updated Snort IDS rules - http://emergingthreats.net/products/etpro-ruleset/daily-ruleset-update-summary/
- Bro IDS updates - https://github.com/broala/bro-shellshock