Difference between revisions of "Shellshock"
m (Improved reference display in chapter "Reported Vulnerabilities") |
(Added the description for chapter "Background", along with citations) |
||
| Line 2: | Line 2: | ||
==Background== | == Background == | ||
===Bash Shell=== | === Bash Shell === | ||
The GNU Bourne Again Shell (Bash) is a widely used command | The GNU Bourne Again Shell ([https://en.wikipedia.org/wiki/Bash_(Unix_shell) Bash]), introduced in 1989 by Brian Fox, is a widely used command-line interface in Unix-like operating systems. Renowned for its flexibility and extensive feature set, Bash combines capabilities from various other shells, such as the Korn Shell (ksh) and the C-Shell (csh) <ref name="bash-reference-manual">Chet Ramey and Brian Fox. ''Bash Reference Manual'', Free Software Foundation, 5.2 edition, 2022.</ref>. | ||
However, this complexity also introduced vulnerabilities, as highlighted by the Shellshock incident. Bash's integral role in numerous systems and devices across networks <ref name="broberg-bash-shell">Matthew Broberg. [https://opensource.com/19/9/command-line-heroes-bash/ ''The Birth of the Bash Shell''], 2019. Retrieved December 17, 2023.</ref> significantly amplified the impact of these vulnerabilities, underlining the importance of secure shell programming and system design. | |||
=== Discovery === | |||
The discovery of Shellshock and its related vulnerabilities unfolded in 2014, starting with Stéphane Chazelas, a French software developer, uncovering the initial bug, CVE-2014-6271 ([https://nvd.nist.gov/vuln/ Common Vulnerability and Exposures, CVE]). | |||
The vulnerability, which had gone unnoticed for over two decades, was a significant flaw in the Bash shell. <ref name="grubb-chazelas">Ben Grubb. [https://www.smh.com.au/technology/stephane-chazelas-the-man-who-found-the-webs-most-dangerous-internet-securhtml/ ''Stephane Chazelas: The Man Who Found the Web's 'Most Dangerous' Internet Security Bug''], 2014. Retrieved December 17, 2023.</ref> | |||
Upon its discovery, it was quickly recognized for the potential to allow attackers to execute arbitrary code (Arbitrary Code Execution, ACE) on affected systems <ref name="nist-cve-2014-6271">National Institute of Standards and Technology (NIST). [https://nvd.nist.gov/vuln/detail/CVE-2014-6271/ ''CVE-2014-6271 Detail''], 2021. Retrieved December 18, 2023.</ref>. | |||
The revelation of Shellshock prompted an immediate and coordinated response from the software community, leading to rapid development of patches by Bash's lead developer, Chet Ramey, and widespread updates across various operating systems and networked devices <ref name="grubb-chazelas"></ref>. | |||
Furthermore, it led to the identification of six distinct CVEs, ranging from CVE-2014-6271 to CVE-2014-7187, each highlighting various vulnerabilities in Bash's handling of code parsing and execution <ref name="zdnet-betterbash">Steven Vaughan-Nichols. [https://www.zdnet.com/article/shellshock-better-bash-patches-now-available/ ''Shellshock: Better 'bash' patches now available''], 2014. Retrieved December 17, 2023.</ref>. | |||
==Reported Vulnerabilities== | ==Reported Vulnerabilities== | ||
Revision as of 20:03, 7 January 2024
Shellshock, discovered in 2014, is a significant vulnerability in the GNU Bash shell, affecting a wide range of systems. It enables attackers to execute arbitrary code on vulnerable systems, exploiting environment variables in Bash. The severity of Shellshock lies in its widespread impact, targeting systems running Bash, including web servers, DHCP clients, and network services.
Background
Bash Shell
The GNU Bourne Again Shell (Bash), introduced in 1989 by Brian Fox, is a widely used command-line interface in Unix-like operating systems. Renowned for its flexibility and extensive feature set, Bash combines capabilities from various other shells, such as the Korn Shell (ksh) and the C-Shell (csh) [1].
However, this complexity also introduced vulnerabilities, as highlighted by the Shellshock incident. Bash's integral role in numerous systems and devices across networks [2] significantly amplified the impact of these vulnerabilities, underlining the importance of secure shell programming and system design.
Discovery
The discovery of Shellshock and its related vulnerabilities unfolded in 2014, starting with Stéphane Chazelas, a French software developer, uncovering the initial bug, CVE-2014-6271 (Common Vulnerability and Exposures, CVE). The vulnerability, which had gone unnoticed for over two decades, was a significant flaw in the Bash shell. [3]
Upon its discovery, it was quickly recognized for the potential to allow attackers to execute arbitrary code (Arbitrary Code Execution, ACE) on affected systems [4]. The revelation of Shellshock prompted an immediate and coordinated response from the software community, leading to rapid development of patches by Bash's lead developer, Chet Ramey, and widespread updates across various operating systems and networked devices [3].
Furthermore, it led to the identification of six distinct CVEs, ranging from CVE-2014-6271 to CVE-2014-7187, each highlighting various vulnerabilities in Bash's handling of code parsing and execution [5].
Reported Vulnerabilities
CVE-2014-6271
The original Shellshock vulnerability was based on how Bash processed environment variables and allowed attackers to execute arbitrary code on vulnerable systems [6].
env x=’() { :;}; echo vulnerable’ bash -c "echo this is a test"
In this example, the function is defined using the command env x='() { :;}; echo vulnerable'. After the actual function body, marked by { :;};, additional code is added – in this case, the command echo vulnerable.
If the Bash version is vulnerable, it will output "vulnerable" and "this is a test." This means that it also executes the code after the function.
It's important to note that the second output string, "this is a test," is not part of the vulnerability and can be replaced with almost any other command. What matters is that when using bash -c, a new instance of Bash is created, which assigns the value to the environment variable x. During this initialization of x, the injected code echo vulnerable is executed.
CVE-2014-7169
The second discovered vulnerability, also known as Aftershock, allowed for the execution of injected code in a similar manner, even after applying the initial patch [6].
env x=’() {( a ) = >\’ bash -c "echo date"; cat echo
In this case, an attempt is made to assign a function to the variable x as well. The key difference from the previous vulnerability is that the function is designed to generate a syntax error while still executing code. The use of the escape character \ cancels out the following quotation mark, preventing the function definition from being completed. The redirection operator > redirects output to a file specified afterward.
Despite the syntax error in the function definition's position of =, Bash continues to execute code and, as a result, creates a file named "echo" with the content of the date command output.
Finally, this file is printed to the console using cat echo.
CVE-2014-7186
Another vulnerability, which didn't execute malicious code but was used to carry out DoS attacks by causing memory overflow and application crashes, or other unexpected behavior in Bash [7][8][9].
x=’() { true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF; }’; bash -c :
In the example above, a series of here documents are nested within the function body, but they are never closed with a delimiter. Each <<EOF opens a new document, which typically needs to be closed with the matching delimiter EOF. Everything between these two points is considered the content of the document [10].
The security vulnerability arises from the missing closing delimiters, combined with the deep nesting, causing an Out-Of-Bounds Memory-Access-Error.
CVE-2014-7187
A software crash and subsequent DoS can be caused by an Off-By-One error due to a flaw in the read token word function found in the parse.y file within the Bash source code [11][8][9].
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) > test-script.sh
bash test-script.sh
When using a for loop, the output of echo commands is written to the target file test-script.sh, which is executed afterward. The resulting deeply nested loops can cause Bash to mishandle them, leading to an Off-By-One error in memory access.
This can result in accessing memory outside the allocated range, potentially leading to application crashes.
CVE-2014-6277
Another security vulnerability, in contrast to the previous weaknesses, is related to uninitialized memory usage. This faulty memory access could lead to DoS or the execution of malicious code [12]. A detailed explanation of this issue can be found in a personal blog post [9] by Michał Zalewski.
x="() { y() { _; }; y() { _; } <<‘perl -e ’{print "A"x1000}’‘; }" bash -c :
In this command, after two empty functions y() { _; }, the << operator starts a here document. However, due to the missing delimiter string, the it is not fully terminated. As a result, the here_doc_eof pointer incorrectly points to an invalid string and remains uninitialized. Consequently, Bash could attempt to read from this uninitialized memory that has been manipulated by attackers.
This could result in unexpected behavior such as Arbitrary Code Execution (ACE) or software crashes.
CVE-2014-6278
This more complex security vulnerability allowed attackers to bypass the previously published patches through redirection and parsing errors, ultimately enabling the execution of malicious code [13][9].
x=’() { _; } >_[$($())] { echo vulnerable; id; }’ bash -c :
The expression >_[$($())] uses redirection and array syntax in a way that the Bash parser does not understand. As a result, it falls into a state that it cannot correctly reset after interpreting the nested command substitution $().
Because of this, the following code block { echo vulnerable; id; } is executed without further checks.
Impact and Attack Scenarios
Attack Vectors
Shellshock could be exploited through web servers using CGI scripts, SSH services, DHCP clients, and various network services. By manipulating environment variables, attackers could execute malicious code.
Examples of Attacks
Notable instances include a suspected attack on a voting server in Georgia, a worm targeting QNAP NAS devices, and unauthorized access to Yahoo servers. These examples highlight the broad and severe implications of Shellshock in real-world scenarios.
Defense and Mitigation Strategies
Patches and Updates
Rapid development and distribution of patches for each CVE were crucial in mitigating Shellshock. Regular system updates and applying patches are critical for maintaining security.
Best Practices
Adopting best practices, such as minimal installation to reduce attack surfaces, adhering to the principle of least privilege, regular security audits, and employee training, are essential strategies to prevent similar vulnerabilities.
- ↑ Chet Ramey and Brian Fox. Bash Reference Manual, Free Software Foundation, 5.2 edition, 2022.
- ↑ Matthew Broberg. The Birth of the Bash Shell, 2019. Retrieved December 17, 2023.
- ↑ 3.0 3.1 Ben Grubb. Stephane Chazelas: The Man Who Found the Web's 'Most Dangerous' Internet Security Bug, 2014. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-6271 Detail, 2021. Retrieved December 18, 2023.
- ↑ Steven Vaughan-Nichols. Shellshock: Better 'bash' patches now available, 2014. Retrieved December 17, 2023.
- ↑ 6.0 6.1 Prutha Parikh. Bash Shellshock Command Injection Vulnerabilities, 2014. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-7186 Detail, 2018. Retrieved December 17, 2023.
- ↑ 8.0 8.1 Florian Weimer. Non-Upstream Patches for Bash, 2014. Retrieved December 17, 2023.
- ↑ 9.0 9.1 9.2 9.3 Michał Zalewski. Bash Bug: The Other Two RCEs, or How We Chipped Away at the Original Fix (CVE-2014-6277 and '78), 2014. Retrieved December 17, 2023.
- ↑ Mendel Cooper. Advanced Bash-Scripting Guide: Chapter 19. Here Documents, 2014. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-7187 Detail, 2018. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-6277 Detail, 2018. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-6278 Detail, 2021. Retrieved December 17, 2023.