Shell Shock Vulnerability – Use AppCheck NG to Discover if You Are Affected

Background

Bash (the Bourne Again Shell) is a command process, typically run on a text window, similar to the command prompt on Microsoft Windows systems which allows the user to type commands which cause actions.

On the 24th September 2014, a remote code execution vulnerability in bash (CVE-2014-6271) was made public after its discovery by Stephane Chazelas. The flaw,  dubbed “Shell Shock” has been given the highest CVSS impact and exploitability rating of 10; and affects all versions of bash between 1.14.0 and 4.3, having existed in bash for 22 years.  The flaw affects any operating system and application that utilises the bash shell, including Linux, MacOSX, and Cygwin environments on Windows.

 

What does the flaw allow the attacker to achieve?

The vulnerability allows an attacker who can pass commands to bash to execute arbitrary code. As bash is a common command shell used to process user input from other programs, this vulnerability affects many applications that call other applications via a shell.

The vulnerability arises from the ability to pass arbitrary environment variables with crafted values to bash before calling the shell. These variables can contain code which get executed as soon as the shell is called. Arbitrary code can be executed remotely, and without authentication. This would allow an attacker to gain access to affected systems with the privileges of the user running the bash shell, potentially gaining a remote shell and pivoting onto internal networks through common privilege escalation techniques.

Given the number of potentially affected services, it is expected that this vulnerability would be “worm-able”, allowing an attacker to take over a large number of devices over the Internet, and onto internal systems.

 

Which services are likely to be affected?

As the name of the crafted variables can be arbitrary, the vulnerability is exposed in many contexts where user input is provided to a bash shell.

This includes, but is not limited to:

* Restricted OpenSSH Subshells. The “ForceCommand” option used in sshd configurations provides a limited command execution environment for remote users. This flaw can be used to bypass restricted environments in systems such as Git and Subversion deployments and SFTP servers. Regular OpenSSH access is not affected as users already have shell access.

* Apache HTTPd servers using CGI scripts which are either written in bash, or spawn bash subshells. Such subshells are used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP-cgi, and open/system in perl-cgi. This includes many home routers which call out to bash shells when performing diagnostic tests with ping and traceroute. As many environment variables are under the control of the attacker, such as HTTP Referer and User-Agent variables, vulnerable CGI-scripts can be attacked quite easily.

* DHCP clients and servers which invoke shell scripts with values taken from the client or server.

* Various daemons and privileged programs which execute shell scripts with environment variables set by the user.

Updates for affected systems are currently being  prepared by vendors. We suggest updating the bash program on affected systems as soon as vendor updates are available.

 

How to discover if you are affected by the Shell Shock vulnerability

Shell Shock vulnerability discovery using AppCheck:

The AppCheck Web Application and Infrastructure vulnerability scanner has already been updated with a plugin to detect the flaw. Infrastructure and Web Applications will also be scanned for all other classes of vulnerability including missing patches, SQL Injection, and Cross Site Scripting.

 

Where can I get more information?

Call us on 0113 887 8380 to set up a free AppCheck scan or to discuss your network security requirements.

Email us at info@appcheck.com.

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial