ShellShock and Its Millions of Variants

October 3, 2014 by Ixia Blog Team

Amritam Putatunda

The significant aspect of this vulnerability is that it uses header protocols and UNIX bash commands to access a network machine. Tthere are several protocol header values that are generally used by applications/websites, and there are also serveral bash commands that – on execution – can seriously compromise a website. Hence the total permutation and combinations of protocol headers and bash executable commands, and thus means for attack, is vast. This gives the hackers a much larger playing field to work with, and can potentially result in them exposing many vulnerable websites. This can also lead to discovering other vulnerabilities related to the shellshock family.The last week cyber-world was hit by another “shocking” vulnerability. Fashionably called as “shellshock,” experts belive that this vulnerability could be biggger than “Heartbleed.”

To validate there networks and websites are protected, users can use the powerful dictionary feature of Ixia's BreakingPoint security solution to test millions of such permutation and combinations against either a particular website or a network infrastrucutre as a whole.

As shown in the picture below, we can create HTTP headers – using the dictionary fields in BreakingPoint – that take their inputs from two different files, with one listing the different protocol headers and the other having a list of common bash commands. During the test run, BreakingPoint will randomly select one component from each of these dictionaries to create thousands of headers that can effect a vulnerable website. All this in a matter of few seconds.

Fig.1 : Using the dict_flow variable to construct crafted HTTP headers from values taken from two unique lists.

This will result in HTTP headers like these: