Bash bug: Shellshocked yet? You will be ... when this goes WORM

Much carnage to come, warn experts

Much of the impact of the Shellshock vulnerability is unknown and will surface in the coming months as researchers, admins and attackers (natch) find new avenues of exploitation.

The vulnerability, called Shellshock by researcher Robert Graham, existed in the Bash command interpreter up to version 4.3 and affected scores of servers, home computers and embedded devices.

While Australian consultants and security firms were examining the impact of the flaw to advise their clients, the existence of the flaw came as no surprise for some.

"To be honest it came as a complete lack of surprise to me," director and veteran Unix-hand Neal Wise said. "The use of shells for CGI was discouraged since the mid 90s."

"There will be a period of discovery where we find that this thing or that thing that we rely on in our code is vulnerable.

"So if you didn't build [a given platform] yourself, you need to get your vendor to confirm that they aren't affected."

The two-decade old bug existed in the handling of environment variables in Bash caused by the execution of trailing code in a function definition when a function is assigned to a variable.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.


Securus Global director Drazen Drazic said the bg opened interesting exploitation avenues.

"I think this bug opens up a variety of interesting niche exploitation scenarios, depending on what an attacker is trying to get into," Drazen said, noting that there were "a lot worse things out there with a lot lower barriers to exploitation".

He said admins should consult patches already released from vendors.

The number of affected systems that a given enterprise could be running was largely unknown at present, and Wise said administrators should ask their vendors to investigate the impact and address any exposures.

Researcher Robert Graham has so far dug up 3,000 vulnerable systems by scanning port 80 on the root URL, and said the bug was "clearly wormable".

His figures should increase quickly since that only one in 50 web servers respond correctly without the proper Host field.

"Scanning with the correct domain names would lead to a lot more results -- about 50 times more," Graham writes.

Graham adds: "Secondly, it's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi). Getting just the root page is the thing least likely to be vulnerable. Spidering the site, and testing well-known CGI scripts (like the CPanel one) would give a lot more results, at least 10x [more]."

He also writes that embedded web servers on odd ports "are the real danger" as well other services like the DHCP service reported in the initial advisory.

"Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems," Graham said.

"One key question is whether Mac OS X and iPhone DHCP service is vulnerable – once the worm gets behind a firewall and runs a hostile DHCP server, that would 'game over' for large networks."

He agrees Shellshock was more severe than the OpenSSL HeartBleed vulnerability reported in April and warned that while primary servers were likely not vulnerable, "everything else probably is".

"Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can't be patched, you are likely screwed." ®

Similar topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022