{"id":1282,"date":"2014-09-29T19:55:54","date_gmt":"2014-09-30T01:55:54","guid":{"rendered":"http:\/\/blog.supportpro.com\/?p=1282"},"modified":"2019-10-30T04:25:41","modified_gmt":"2019-10-30T10:25:41","slug":"shell-shock-vulnerability","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/shell-shock-vulnerability\/","title":{"rendered":"Shell shock vulnerability"},"content":{"rendered":"<p>A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X. Known as the \u201c<strong>Bash Bug<\/strong>\u201d or \u201c<strong>ShellShock<\/strong>,\u201d the GNU Bash Remote Code Execution Vulnerability could allow an attacker to gain control over a targeted computer if exploited successfully. And because Bash is everywhere on Linux and Unix-like machines and interacts with all parts of the operating system, everyone anticipates that it will have lot of repercussions.<\/p>\n<p><strong>How does Shellshock work?<\/strong><\/p>\n<p>Shellshock exploits a flaw in how Bash parses environment variables; Bash allows functions to be stored in environment variables, but the issue is Bash will execute any code placed after the function in the environment variable value.<\/p>\n<p>For example, an environment variable setting of VAR=() { ignored; }; \/bin\/id will execute \/bin\/id when the environment is imported into the bash process.<br \/>\nI am vulnerable?<\/p>\n<p>You can check if you&#8217;re vulnerable by running the following lines in your default shell.<\/p>\n<p><strong><em>env X=&#8221;() { :;} ; echo vulnerable&#8221; `which bash` -c &#8220;echo Check completed&#8221;<\/em><\/strong><\/p>\n<p>If you see the word &#8220;vulnerable&#8221; echo\u2019d back , then you&#8217;re at risk.<!--more--><\/p>\n<p><strong>How Shellshock is Impacting the Web ?<\/strong><\/p>\n<p>The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. The attacker is able to inject environment variables inside all bash process spawned by a web server under the CGI specification. This will occur directly if the CGI script is programmed in bash or indirectly by system calls inside other types of CGI scripts since the environment will propagate to the sub-shell. The vulnerability will automatically be triggered at the shell process instantiation.\u00a0Furthermore if specific headers are used as attack points, the payload may not appear in the web-server logs, letting a compromise occur with virtually no trace of the intrusion.<\/p>\n<p>Example:<br \/>\nCGI stores the HTTP headers in environment variables. Let&#8217;s say the example.com is running a CGI application written in Bash script.<\/p>\n<p>We can modify the HTTP headers such that it will exploit the shellshock vulnerability in the target server and executes our code.<\/p>\n<p><strong><em>curl -k http:\/\/example.com\/cgi-bin\/test -H &#8220;User-Agent: () { :;}; echo Hacked &gt; \/tmp\/Hacked.txt&#8221;<\/em><\/strong><\/p>\n<p>Here, the curl is sending request to the target website with the User-Agent containing the exploit code. This code will create a file &#8220;Hacked.txt&#8221; in the &#8220;\/tmp&#8221; directory of the server.<\/p>\n<p><strong>What can I do to protect myself?<\/strong><\/p>\n<p>Major operating software vendors including RedHaT, CentOS, etc are already released a initial patch for this bug.<\/p>\n<p>Debian\u2014https:\/\/www.debian.org\/security\/2014\/dsa-3032<br \/>\nUbuntu\u2014http:\/\/www.ubuntu.com\/usn\/usn-2362-1\/<br \/>\nRed Hat\u2014https:\/\/access.redhat.com\/articles\/1200223*<br \/>\nCentOS\u2014http:\/\/centosnow.blogspot.com\/2014\/09\/critical-bash-updates-for-centos-5.html<br \/>\nNovell\/SUSE\u2014 http:\/\/support.novell.com\/security\/cve\/CVE-2014-6271.html<\/p>\n<p>If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.<\/p>\n<p><strong>Need expert assistance?<\/strong><\/p>\n<p><a href=\"https:\/\/www.supportpro.com\/\"><strong>SupportPRO<\/strong><\/a> has a team of well experienced professionals. We can check your server for Shellshock vulnerability and patch the server so that you and your customers are secure from this attack. Feel free to contact us if you need assistance.<\/p>\n<p>If you require help, co<a href=\"https:\/\/www.supportpro.com\/requestquote.php\">ntact SupportPRO Server Admin<\/a><\/p>\n<p style=\"text-align: center;\"><!--HubSpot Call-to-Action Code --><span id=\"hs-cta-wrapper-9d590242-d641-4383-94b4-8cfd62f0af6b\" class=\"hs-cta-wrapper\"><span id=\"hs-cta-9d590242-d641-4383-94b4-8cfd62f0af6b\" class=\"hs-cta-node hs-cta-9d590242-d641-4383-94b4-8cfd62f0af6b\"><!-- [if lte IE 8]><\/p>\n\n\n\n\n\n<div id=\"hs-cta-ie-element\"><\/div>\n\n\n<![endif]--><a href=\"https:\/\/www.supportpro.com\/freecheckup.php\"><img decoding=\"async\" id=\"hs-cta-img-9d590242-d641-4383-94b4-8cfd62f0af6b\" class=\"hs-cta-img\" style=\"border-width: 0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/2725694\/9d590242-d641-4383-94b4-8cfd62f0af6b.png\" alt=\"Server not running properly? Get A FREE Server Checkup By Expert Server Admins - $125 Value\" \/><\/a><\/span><script charset=\"utf-8\" src=\"https:\/\/js.hscta.net\/cta\/current.js\"><\/script><script type=\"text\/javascript\"> hbspt.cta.load(2725694, '9d590242-d641-4383-94b4-8cfd62f0af6b', {}); <\/script><\/span><!-- end HubSpot Call-to-Action Code --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X. Known as the \u201cBash Bug\u201d or&hellip;<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[5,6,1,4,7,3],"tags":[],"class_list":["post-1282","post","type-post","status-publish","format-standard","hentry","category-general-topics","category-linux-basics","category-miscellaneous","category-server-security","category-server-tweaking","category-technical-articles"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/1282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/comments?post=1282"}],"version-history":[{"count":8,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/1282\/revisions"}],"predecessor-version":[{"id":4428,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/1282\/revisions\/4428"}],"wp:attachment":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media?parent=1282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/categories?post=1282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/tags?post=1282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}