Sep
27
2014

Shellshock: a bug bigger than Heartbleed?

Recently, the Red Hat team have found a critical remotely exploitable vulnerability in the Bash (aka the GNU Bourne Again Shell), that allow a remote attacker to inject arbitrary commands.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.”

shellshock-deph

The vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-6271, and due to an incomplete fix, CVE-2014-7169 has also been assigned. Later, Red Hat Product Security researcher Florian Weimer found additional problems and they were assigned CVE-2014-7186 and CVE-2014-7187.

Note: if Heartbleed allowed remote access to small amount of data in the memory of affected machines, Shellshock is enabling remote code injection of arbitrary commands pre-auth which is potentially far more dire!

 

How to check if your system is vulnerable?

Exploit 1 (CVE-2014-6271) – Run the following command in a shell:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see “vulnerable” your system is vulnerable, otherwise, you should be good to go.

 

Exploit 2 (CVE-2014-7169) – Run the following command in a shell:

env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo ; rm -f echo

If the above command outputs the current date (it may also show errors), you are still vulnerable.

 

Remember: the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts, for example: CGI script, DHCPClient, CUPS, mail, … .

 

EXAMPLE #1: cgi script in your web server

Suppose that your Apache web server contains the script “ciscozine.cgi” in : http://192.168.1.100/cgi-bin/ciscozine.cgi

To exploit it, it is sufficient send http request with custom header to this page. For instance, if you would the webserver executes a ping command, modify the http header requests with:

http-header = Cookie:() { :; }; ping -c 5 1.1.1.1
http-header = Host:() { :; }; ping -c 3 1.1.1.1
http-header = Referer:() { :; }; ping -c 3 1.1.1.1

There are several ways to modify the http header. Try curl, wget or some browser plugin..

 

EXAMPLE #2: DHCP server in your network

An attacker could use a DHCP server in you network to exploit clients! To do it, it is mandatory that:

  • The clients request the IP address to the rogue DHCP server
  • The clients have a bugged bash version

To exploit the client, the DHCP server must have the ‘114’ field option enabled with, for example, this string:

() { :; }; ping -c 3 1.1.1.1

 

So linux, unix, apple, android devices are vulnerables.. and what about Cisco?

Cisco have several devices affected by the bug! The vulnerable products are:

Network Application, Service, and Acceleration

  • Cisco ASA CX [CSCur01959]
  • Cisco Application Control Engine (ACE30/ ACE 4710) [CSCur02195]
  • Cisco Wide Area Application Services (WAAS) [CSCur02917]

Network and Content Security Devices

  • Cisco Identity Services Engine (ISE) [CSCur00532]
  • Cisco Intrusion Prevention System Solutions (IPS) [CSCur00552]
  • Cisco Secure Access Control Server (ACS) [CSCur00511]

Network Management and Provisioning

  • Cisco Unified Intelligence Center (UIC) [CSCur02891]

Routing and Switching – Enterprise and Service Provider

  • Cisco Cisco Application Policy Infrastructure Controller [CSCur01249]
  • Cisco IOS-XE [CSCur03368]
  • Cisco MDS [CSCur01099]
  • Cisco Nexus 1000V [CSCur04438]
  • Cisco Nexus 3000 [CSCur04934]
  • Cisco Nexus 4000 [CSCur05610]
  • Cisco Nexus 5000 [CSCur05017]
  • Cisco Nexus 7000 [CSCuq98748]
  • Cisco Nexus 9000 [CSCur02700]

Unified Computing

  • Cisco UCS [CSCur01379]

Voice and Unified Communications Devices

  • Cisco Unified Communications Manager Session Management Edition (SME) [CSCur00930]

Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco Edge 300 Digital Media Player [CSCur02761]
  • Cisco Edge 340 Digital Media Player [CSCur02751]
  • Cisco Insight reporter [CSCur04977]
  • Cisco TelePresence Conductor [CSCur02103]
  • Cisco TelePresence IP Gateway Series [CSCur04984]
  • Cisco TelePresence IP VCR Series [CSCur04993]
  • Cisco TelePresence ISDN GW 3241 [CSCur05010]
  • Cisco TelePresence ISDN GW MSE 8321 [CSCur05010]
  • Cisco TelePresence ISDN Link [CSCur05025]
  • Cisco TelePresence Video Communication Server (VCS/Expressway) [CSCur01461]
  • Cisco TelePresence endpoints (C series, EX series, MX series, MXG2 series, SX series) and the 10″ touch panel [CSCur02591]
  • Tandberg Codian ISDN GW 3210/3220/3240 [CSCur05010]
  • Tandberg Codian MSE 8320 model [CSCur05010]

Nowadays, there are no mitigations for these vulnerabilities that can be performed directly on affected Cisco devices. For that reason, the better method to protect against this type of attack is using an IPS.

 

References:

Summary
Article Name
Shellshock: a bug bigger than Heartbleed?
Description
The vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-6271, and due to an incomplete fix, CVE-2014-7169 has also been assigned.
Author