Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43426
  • Total Topics: 16523
  • Online today: 2717
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2713
Total: 2714









Author Topic: Warning for SysAdmins: "Shellshock" vulnerability in Linux, Bash & Unix systems  (Read 3244 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers.

But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete.
 
The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – including Apple's OS X: http://seclists.org/oss-sec/2014/q3/649

It allows miscreants to remotely execute arbitrary code on systems ranging from web servers, routers, servers and Macs to various embedded devices that use Bash, and anything else that uses the flawed open-source shell.

An attacker needs to inject his or her payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.

The Bash flaw – designated CVE-2014-6271 – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.

Patches released on Wednesday by Linux vendors: https://access.redhat.com/articles/1200223 , the upstream maintainer of Bash: http://www.gnu.org/software/bash/ , and others for OS X: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7 , blocked these early attacks, but it's understood they do not completely protect Bash from code injection via environment variables.

New packages of Bash were rolled out on the same day, but further investigation made it clear that the patched version is still exploitable: https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c27 , and at the very least can be crashed due to a null-pointer exception. The incomplete fix is being tracked as CVE-2014-7169: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

Red Hat, at time of writing, is urging people to upgrade to the version of Bash that fixes the first reported security hole, and not wait for the patch that fixes the secondary lingering vulnerability – designated CVE-2014-7169.

"CVE-2014-7169 is a less severe issue and patches for it are being worked on," the Linux maker said: https://access.redhat.com/articles/1200223

Meanwhile, although Ubuntu and other Debian-based distros have moved to using the non-vulnerable Dash over Bash, the latter may well be present or in use by user accounts. Above all, check what shell interpreters are installed, who is using them, and patch CVE-2014-6271 immediately.

The above code can be used to drop files onto patched systems and execute them, as explained here: https://news.ycombinator.com/item?id=8365100
Completely unpatched servers and computers can be exploited to open reverse command shells – a backdoor: http://pastebin.com/raw.php?i=166f8Rjx , basically – or reboot them (or worse) if they connect to a malicious DHCP server: http://pastebin.com/raw.php?i=S1WVzTv9

The main CVE-2014-6271 flaw was discovered by Stephane Chazelas of Akamai before it was responsibly disclosed: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
A Metasploit module leveraging the bug is already available. A blog post by Metasploit developers Rapid7 explains the grim state of play: https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271

(PCW)

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023