How to check your servers for Bash ShellShock (CVE-2014-6271, CVE-2014-7169)
ShellShock, what a fitting name. The latest major headache for Sys Admins, Developers…well pretty much anyone who has a*nix system running… has been brought to our attention by Security Researcher Stephane Chazelas.
The impact of this vulnerability is far bigger than the recent SSL Heartbleed vulnerability. While most people would not think of a bash being something you would be able to access remotely. Its just a shell right? Well Not quite.
Bash, the Bourne Again Shell, is widely used (and loved) by many system administrators and developers. Bash allows you to do some very powerful things that you would normally do in a programming language. With Bash, you can use variables and functions, just as you would in any good programming language. This is what makes bash so powerful.
Unfortunately, the way Bash validated the input for variables and functions, allowed for a malicious user to append a command to the end of the function or variable. Then every time bash is run, it populates the variables, but also runs those commands.
Its unbelievable this has not been found before now. The vulnerability impacts bash versions going back 15 years or more. But it doesn’t just end there. Think of all the “things” that might use a shell. Also in RHEL and CentOS /bin/sh is actually a symlink to /bin/bash. So now think of all the “things” that might call /bin/sh to the list of attack vectors.
Some of the “things” that might use calls to a shell are:
- CGI Scripts with system() calls or even back-tics
/bin/something
- OpenSSH
- DHCP Serverices
- system() type calls in various programing languages, beyond Perl and CGI.
- Embedded software on devices like webcams and home routers. (these will rarely get updated)
The list goes on and on. The more I think about it, the more I find could be vulnerable to the ShellShock vulnerability.
How do I check my server is Vulnerable to Bash ShellShock?
We have been following the news and scouring the internet to find the latest resources to identify if you or your website is vulnerable.
Check Locally
RedHat has a very detailed article here. There are a few simple tests you can run from a shell on your server to see if you are vulnerable. This command will test your system. If it is vulnerable it will print the word “vulnerable”. If it does not, you are safe for CVE-2014-6271!
1
|
env ‘x=() { :;}; echo vulnerable’ ‘BASH_FUNC_x()=() { :;}; echo vulnerable’ bash –c “echo test”
|
But this is only half the battle, you still need to check for CVE-2014-7169. To do just that run the following command. If your system is vulnerable, it will print the time and place a file in /tmp called “echo”. If it doesn’t tell you the time, and the file is not created, you are safe from CVE-2014-7169 type attack.
1
|
cd /tmp; rm –f /tmp/echo; env ‘x=() { (a)=>/‘ bash –c “echo date”; cat /tmp/echo
|
Checking Remotely
We have already seen metaSploit Modules for ShellShock publicly available. We won’t touch on that now but know they are out there, and more are coming, so get patched quickly.
If you still want to see if your site is vulnerable, we have found a few really good places to do that.
A tool that uses HTTP based exploits only can be found at: shellshock.brandonpotter.com.
Another great resource for testing is the aptly named BashSmash!
How do I patch my system to prevent ShellShock?
The way to fix this is to update your version of bash running on the server. So at least the patch is easy!
Run the following command to install the latest bash package provided by RedHat or CentOS.
1
|
yum update bash
|
If you do not see any packages available for update, you might be using a stale cache. If so try running the following command before you install.
1
|
yum clean all
|
Thats all it takes. Three simple words, well six if you have to update the cache!
Conclusion
The Bash ShellShock vulnerability is a severe vulnerability that is widespread and has the high potential to be remotely exploited. Luckly it is just as easy to protect your systems. Just remember those three little words…”yum update bash”.
-Tutor