Tech Solvency / The Story So Far / Shellshock (CVE-2014-6271, CVE-2014-7169)


Summaries

Excellent deep-dive technical analysis and timeline by David Wheeler: http://www.dwheeler.com/essays/shellshock.html
Troy Hunt: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
RedHat: https://access.redhat.com/articles/1200223
SANS: https://isc.sans.edu/diary/Shellshock%3A+Vulnerable+Systems+you+may+have+missed+and+how+to+move+forward/18721


Vulnerabilities

The shellshock/badbash vuln early zero-day exploiting 2014-6271:

https://twitter.com/yinettesys/status/515012126268604416
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
https://gist.github.com/anonymous/929d622f3b36b00c0be1
https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/

Packet Storm vuln summaries by CVE (lists major distro impacts, etc.):

Original news about initial fix being incomplete:
https://twitter.com/taviso/statuses/514887394294652929
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
http://www.openwall.com/lists/oss-security/2014/09/24/32 [and responses]

2014-10-13: Reverse DNS lookups as an exploitation vector http://packetstormsecurity.com/files/128650/dnsbash-exec.txt

Analysis

Rapid7
https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271

Michal Zalewski (Google):
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
2014-10-01: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

2014-09-30: Good CloudFlare blog item http://blog.cloudflare.com/inside-shellshock/

2014-10-02: OpenDNS analysis of scanning activity http://labs.opendns.com/2014/10/02/opendns-and-bash/

Remediation

Initial patch for incomplete patch:
http://www.openwall.com/lists/oss-security/2014/09/25/10

2014-09-29: Binary patching.

Solar Designer posts binary patch method: http://www.openwall.com/lists/oss-security/2014/09/29/1
Python method from Antti Louko: http://alo.fi/bash/Patch-bash.py

See product-specific section for per-vendor remediation.

Products

Some busybox may be affected:

https://twitter.com/dakami/status/514972098368794625

2014-09-27: Exploitation vectors analysis (some inetd, exim, qmail, procmail, openvpn):
https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html

mod_perl,mod_php,mod_python OK, but mod_cgi (and therefore cPanel) vulnerable: http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html

2014-09-26: F5 BIG-IP vulnerable: https://twitter.com/kennwhite/status/515533087082422272

2014-10-12: Juniper: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&cat=SIRT_1&actp=LIST

2014-09-30: OpenVPN vulnerable in some configs. https://news.ycombinator.com/item?id=8385332

2014-10-02: QNAP NAS vulnerable. http://www.fireeye.com/blog/technical/2014/10/the-shellshock-aftershock-for-nas-administrators.html

2014-10-02: McAfee Web Gateway and McAfee Email Gateway shellshock fixes announced here: https://community.mcafee.com/docs/DOC-6532?elq=641521a732bd4c53aabc553a1a7fe4d7&elqCampaignId=971

2014-10-02: Request Tracker (RT 4.2.x) vulnerable http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html

2014-10-03: Citrix NetScaler not directly vuln, but include bash; VPX patch for DHCP issue forthcoming. http://support.citrix.com/article/CTX200217

2014-10-07: Oracle updates its patches: http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html

Detection and testers

2014-10-03: Really good local checker for all known variants. https://github.com/hannob/bashcheck/blob/master/bashcheck

My own simple wget script to walk an entire site for shellshock. Not as fast as masscan, but more configurable.

Rules for original vuln:
Snort: https://www.snort.org/advisories/vrt-rules-2014-09-24
Bro: https://github.com/CriticalStack/bro-scripts

2014-09-30: Detection in Bro, including Qmail MAIL FROM attack vector. https://github.com/broala/bro-shellshock

shellshock.info tester (not complete; should spider entire site):
http://check.shellshock.info/

2014-09-29: Shellshocker tester https://shellshocker.net/

2014-09-26: SIP scanner: https://github.com/zaf/sipshock

2014-09-26: Tripwire detector: https://github.com/Tripwire/bashbug-shellshock-test/blob/master/README.md

Robert Graham's masscan of just the default page by IP (so a lower bound) is here, but actually aborted and he'll be re-running:
http://blog.erratasec.com/

Landscape of obvious targets:
https://www.google.com/search?q=filetype%3Ash+inurl%3Acgi-bin

Exploitation

Metasploit module for original vuln:
https://github.com/rapid7/metasploit-framework/commit/ff5398bf3f46c057666f7a3d0afaf4c0d6912575

Exploit possibilities walkthrough, including fetching results:
https://www.invisiblethreat.ca/2014/09/cve-2014-6271/

Malicious DHCP server:
http://pastebin.com/S1WVzTv9

2014-10-06: Unconfirmed report that Yahoo and WinZip.com compromised. http://mailman.nanog.org/pipermail/nanog/2014-October/070228.html

2014-10-06: Postfix/procmail exploit http://packetstormsecurity.com/files/128572/postfixsmtp-shellshock.txt

Funniest one-liner so far:
https://twitter.com/koizuka/status/515098006895349760
Akihiko Koizuka @koizuka
() { :;}; /usr/bin/eject

2014-09-29: New non-shellshock vulns: http://www.openwall.com/lists/oss-security/2014/09/25/32


Return to The Story So Far (list of notable security events)