Blog

Shellshock, the Beginning

September 25, 2014 by Ixia Blog Team

Yesterday the computer industry around the globe was shook up by the release of a new vulnerability inside one of the most used utilities in the Linux world, the Bash shell. The vulnerability affects all versions of Bash and allows for remote command execution given a specific context.

The vulnerability is due to a bug that allows parsing and execution of characters inside an environment variable if these characters follow the definition of a function. Testing if your version of Bash is vulnerable is as easy as running the following one-liner:

env x='() { :;}; echo this_bash_is_vulnerable' bash -c ""

If the output of the command is the supplied string “this_bash_is_vulnerable” it means that your version of Bash is vulnerable to this type of attacks. However this does not automatically mean that your server is vulnerable to outside-sourced attacks.

Given the fact that the vulnerability affects the Bash environment, it may seem that it is hard to exploit remotely, however a wide number of services exist that handle user-supplied input and place their content inside environment variables.

One particularly cited example, although not the only one available, is the mod_cgi module inside Apache, given the condition that the CGI scripts which manipulate the dynamic content are written in Bash.

Most proof of concepts available attack the vulnerability through the “User-agent” HTTP request header, however this is not the only attack vector that can be used. Individual testing showed that the following HTTP headers can also be used with success: User-Agent, Accept, Accept-Language, Cache-Control, and Connection.

In addition, exploits could theoretically show up inside all the user-supplied headers and information for which an environment variable is created with their content. A complete list of the variables is as follows (the values for the various variables are based on the testing environment):

HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.1; WOW64)

SERVER_PORT=80

HTTP_HOST=192.168.117.129

DOCUMENT_ROOT=/var/www

SCRIPT_FILENAME=/usr/lib/cgi-bin/poc.cgi

REQUEST_URI=/cgi-bin/poc.cgi

SCRIPT_NAME=/cgi-bin/poc.cgi

HTTP_CONNECTION=keep-alive

REMOTE_PORT=19621

PATH=/usr/local/bin:/usr/bin:/bin

PWD=/usr/lib/cgi-bin

SERVER_ADMIN=webmaster@localhost

HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8,ro;q=0.6

HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;

REMOTE_ADDR=192.168.117.1

SHLVL=1

SERVER_NAME=192.168.117.129

SERVER_SOFTWARE=Apache/2.2.14 (Ubuntu)

QUERY_STRING=

SERVER_ADDR=192.168.117.129

GATEWAY_INTERFACE=CGI/1.1

SERVER_PROTOCOL=HTTP/1.1

HTTP_ACCEPT_ENCODING=gzip,deflate,sdch

HTTP_CACHE_CONTROL=max-age=0

REQUEST_METHOD=GET

Although modifying the request to access some of the attack vectors might render the request unusable, QUERY_STRING and SERVER_PROTOCOL stand out as being particularly interesting.

A particularity of the attack that needs to be noted is that the actions that can be taken through the Apache variant of the exploit are limited by the rights given to the user under which the Apache service is running.

In trying to defend against this vulnerability a number of vendors have already supplied patches or work-around solutions for their products. We recommend that you check your vendor’s website and update your version of Bash as soon as possible.

Ixia’s ATI team has released a strike that is available on demand through our customer portal for testing the Apache-based version of this strike and which will also be available in the next ATI Release.

The ATI team will continue to monitor and survey other attack vectors that might be available to publicly exposed services and will implement these as they become available inside Ixia’s security products to offer the best level of protection to our customers.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

Additional Resources:

View Ixia’s Full ATI Protocol List