Difference between revisions of "Shellshock"
(Added the description for chapter "Background", along with citations) |
(Added the description for chapter "Impact and Attack Scenarios", along with citations) |
||
| Line 90: | Line 90: | ||
Because of this, the following code block <code>{ echo vulnerable; id; }</code> is executed without further checks. | Because of this, the following code block <code>{ echo vulnerable; id; }</code> is executed without further checks. | ||
==Impact and Attack Scenarios== | == Impact and Attack Scenarios == | ||
=== Attack Vectors === | |||
The discovery of the Shellshock vulnerabilities has revealed significant implications for the security of information systems. | |||
By exploiting the previously mentioned flaws, attackers gain numerous points of attack. Any service or system implementing a vulnerable version of Bash could potentially be compromised. | |||
The following sections describe the most common attack surfaces of this vulnerability and illuminate the specific threats posed to computer systems. | |||
==== Hypertext Transfer Protocol (HTTP) - via CGI scripts ==== | |||
The exploitation of Shellshock through [https://en.wikipedia.org/wiki/HTTP HTTP] via [https://en.wikipedia.org/wiki/Common_Gateway_Interface Common Gateway Interface] (CGI) scripts was particularly alarming due to the prevalence of CGI in web server configurations <ref name="ricmac-cgi-scripts-1993">ricmac. [https://webdevelopmenthistory.com/1993-cgi-scripts-and-early-server-side-web-programming ''1993: CGI Scripts and Early Server-Side Web Programming''], 2021. Retrieved December 17, 2023.</ref>. | |||
Attackers could send malicious HTTP requests with environment variables containing the modified payload. Common methods for this include, for example, the ''Referer'', ''Cookie'', or ''User-Agent'' headers. | |||
Since CGI scripts often invoke Bash, these payloads were executed, potentially leading to remote code execution (RCE) <ref name="mehndiratta-shellshock-exploiting">Madhav Mehndiratta. [https://www.infosecarticles.com/exploiting-shellshock-vulnerability/ ''Exploiting a Shellshock Vulnerability''], 2020. Retrieved December 17, 2023.</ref>. This simple method required no authentication, allowing unmitigated access to the server. | |||
For this reason, web applications that use an outdated Bash version may be vulnerable to Shellshock exploits. | |||
==== Secure Shell (SSH) ==== | |||
Systems that use [https://en.wikipedia.org/wiki/Secure_Shell SSH] mechanisms like ''ForceCommand'' or ''AuthorizedKeysCommand'' posed another way to exploit the security flaw. | |||
Attackers could make use of it by embedding malicious payload within the SSH command. When the SSH server processed the command, it invoked the Bash shell, leading to the execution of the code. <ref name="kandek-shellshock-update5">Wolfgang Kandek. [https://blog.qualys.com/vulnerabilities-threat-research/2014/09/24/bash-shellshock-vulnerability ''BASH Shellshock Vulnerability – Update5''], 2020. Retrieved December 20, 2023.</ref> | |||
This form of attack was particularly concerning for systems where SSH is used for secure remote management, as it could bypass standard security measures and grant attackers unauthorized access. | |||
==== Dynamic Host Configuration Protocol (DHCP) ==== | |||
Exploiting Shellshock through [https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] involved attackers setting up rogue DHCP servers. When a vulnerable system (client), using Bash to process DHCP responses, connected to this server, it would receive maliciously crafted DHCP responses. These responses included environment variables typically designed to perform ACE. <ref name="enache-shellshock">Tudor Enache. [https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf ''Shellshock Vulnerability''], 2014. Retrieved December 17, 2023.</ref> | |||
Since DHCP is used for automatically configuring network settings, this attack vector could be employed in any network environment, making it particularly dangerous in public or unsecured Wi-Fi networks. | |||
==== Network Services and Daemon Scripts ==== | |||
Network services that process email headers, such as [https://en.wikipedia.org/wiki/Message_transfer_agent Mail Transfer Agents] (MTAs), or other services that pass environment variables to Bash scripts, are also potential targets for Shellshock attacks. This could affect any service that handles external data within a Bash environment. | |||
===Examples of Attacks=== | ===Examples of Attacks=== | ||
Shellshock was exploited in various notable attacks. | |||
==== Voting Server in Georgia ==== | |||
A security expert found evidence suggesting a hacker attack on a Georgia voting server before the 2016 and 2018 elections. This incident, potentially exploiting the Shellshock vulnerability from 2014, might have allowed attackers to gain extensive control, alter data, or install malware. The server's vulnerability was not immediately patched, and there's evidence suggesting attackers concealed their activities and erased log data, complicating the investigation. <ref name="zetter-georgia-elections">Kim Zetter. [https://www.politico.com/news/2020/01/16/georgia-election-systems-could-have-been-hacked-before-2016-vote-100334/ ''Georgia Election Systems Could Have Been Hacked Before 2016 Vote''], 2020. Retrieved December 17, 2023.</ref> | |||
==== QNAP NAS Devices ==== | |||
Researchers discovered a [https://en.wikipedia.org/wiki/Computer_worm computer worm] exploiting the Shellshock vulnerability to plant [https://en.wikipedia.org/wiki/Backdoor_(computing) backdoors] on [https://en.wikipedia.org/wiki/Network-attached_storage network-attached storage] (NAS) devices by [https://en.wikipedia.org/wiki/QNAP_Systems QNAP]. These backdoors bypass security mechanisms, allowing remote access. The worm spread by exploiting a CGI script in QNAP's login process, establishing backdoors, including setting up an SSH server and adding administrative users. Although QNAP released updates, many systems remained vulnerable due to patching difficulties. | |||
Similar to the Georgia voting server case, the malware self-patched the Shellshock vulnerability on infected devices to prevent further exploits. <ref name="kovacs-qnap-worm">Eduard Kovacs. [https://www.securityweek.com/worm-uses-shellshock-infect-qnap-network-storage-systems/ ''Worm Uses Shellshock to Infect QNAP Network Storage Systems''], 2014. Retrieved December 17, 2023.</ref> | |||
==== Yahoo! Server ==== | |||
Cybersecurity expert Jonathan Hall discovered that romanian hackers exploited the Shellshock vulnerability to breach [https://en.wikipedia.org/wiki/Yahoo! Yahoo!] servers. They specifically targeted access points to the [https://en.wikipedia.org/wiki/Yahoo!_Games Yahoo! Games] network, which has millions of users. The servers were vulnerable due to using an outdated version of Bash. Yahoo confirmed the incidents, stating they responded with patches and isolated some affected servers. However, at that time, there was no evidence of compromised user data. <ref name="boren-romanian-hackers">Zachary Davies Boren. [https://www.independent.co.uk/tech/shellshock-romanian-hackers-are-accessing-yahoo-servers-claims-security-ex html/ ''Shellshock: Romanian Hackers Are Accessing Yahoo Servers, Claims Security Expert''], 2014. Retrieved December 17, 2023.</ref><ref name="hall-yahoo-shellshocked">Jonathan Hall. [https://web.archive.org/web/20141009075833/http://www.futuresouth.us/wordpress/?p=5 ''Yahoo! Shellshocked Like Ninja Turtles!''], 2014. Retrieved December 17, 2023.</ref> | |||
==== DDoS Attacks ==== | |||
Within a day of Shellshock's disclosure, attackers exploited the Bash vulnerability to create a [https://en.wikipedia.org/wiki/Botnet botnet] named wopbot. This botnet targeted vulnerable servers, launching [https://en.wikipedia.org/wiki/Denial-of-service_attack distributed denial-of-service] (DDoS) attacks against [https://en.wikipedia.org/wiki/Akamai_Technologies Akamai's] [https://en.wikipedia.org/wiki/Content_delivery_network content delivery network] (CDN) servers and attempting to compromise the U.S. Defense Department's network, which includes about 16.7 million IP addresses. While [https://en.wikipedia.org/wiki/Tiger_(security_software) Tiger Security] experts partially shut down the botnet's control systems, the botmaster server of wopbot remains operational, continuing to spread malware. <ref name="saarinen-shellshock-botnet">Juha Saarinen. [https://www.itnews.com.au/news/first-shellshock-botnet-attacks-akamai-us-dod-networks-396197/ ''First Shellshock Botnet Attacks Akamai, US DoD Networks''], 2014. Retrieved December 17, 2023.</ref> | |||
==== Other Attacks ==== | |||
According to a report by Solutionary’s Security Engineering Research Team (SERT), the Shellshock vulnerability was still being exploited ten months after its disclosure. Despite available protections, many systems remained vulnerable. Nearly 600,000 Shellshock-related events originated from over 25,000 unique IP addresses, mostly trying to identify susceptible systems. The USA, China, Korea, the UK, Germany, and Japan were the top sources of these attacks, with educational institutions being primary targets. Most successful attacks involved downloading and executing Bash scripts, with various attackers, including known botnets, continuing to exploit the vulnerability. <ref name="kovacs-shellshock-exploited">Eduard Kovacs. [https://www.securityweek.com/shellshock-flaw-still-actively-exploited-solutionary/ ''Shellshock Flaw Still Actively Exploited: Solutionary''], 2015. Retrieved December 17, 2023.</ref> | |||
==Defense and Mitigation Strategies== | ==Defense and Mitigation Strategies== | ||
Revision as of 23:11, 7 January 2024
Shellshock, discovered in 2014, is a significant vulnerability in the GNU Bash shell, affecting a wide range of systems. It enables attackers to execute arbitrary code on vulnerable systems, exploiting environment variables in Bash. The severity of Shellshock lies in its widespread impact, targeting systems running Bash, including web servers, DHCP clients, and network services.
Background
Bash Shell
The GNU Bourne Again Shell (Bash), introduced in 1989 by Brian Fox, is a widely used command-line interface in Unix-like operating systems. Renowned for its flexibility and extensive feature set, Bash combines capabilities from various other shells, such as the Korn Shell (ksh) and the C-Shell (csh) [1].
However, this complexity also introduced vulnerabilities, as highlighted by the Shellshock incident. Bash's integral role in numerous systems and devices across networks [2] significantly amplified the impact of these vulnerabilities, underlining the importance of secure shell programming and system design.
Discovery
The discovery of Shellshock and its related vulnerabilities unfolded in 2014, starting with Stéphane Chazelas, a French software developer, uncovering the initial bug, CVE-2014-6271 (Common Vulnerability and Exposures, CVE). The vulnerability, which had gone unnoticed for over two decades, was a significant flaw in the Bash shell. [3]
Upon its discovery, it was quickly recognized for the potential to allow attackers to execute arbitrary code (Arbitrary Code Execution, ACE) on affected systems [4]. The revelation of Shellshock prompted an immediate and coordinated response from the software community, leading to rapid development of patches by Bash's lead developer, Chet Ramey, and widespread updates across various operating systems and networked devices [3].
Furthermore, it led to the identification of six distinct CVEs, ranging from CVE-2014-6271 to CVE-2014-7187, each highlighting various vulnerabilities in Bash's handling of code parsing and execution [5].
Reported Vulnerabilities
CVE-2014-6271
The original Shellshock vulnerability was based on how Bash processed environment variables and allowed attackers to execute arbitrary code on vulnerable systems [6].
env x=’() { :;}; echo vulnerable’ bash -c "echo this is a test"
In this example, the function is defined using the command env x='() { :;}; echo vulnerable'. After the actual function body, marked by { :;};, additional code is added – in this case, the command echo vulnerable.
If the Bash version is vulnerable, it will output "vulnerable" and "this is a test." This means that it also executes the code after the function.
It's important to note that the second output string, "this is a test," is not part of the vulnerability and can be replaced with almost any other command. What matters is that when using bash -c, a new instance of Bash is created, which assigns the value to the environment variable x. During this initialization of x, the injected code echo vulnerable is executed.
CVE-2014-7169
The second discovered vulnerability, also known as Aftershock, allowed for the execution of injected code in a similar manner, even after applying the initial patch [6].
env x=’() {( a ) = >\’ bash -c "echo date"; cat echo
In this case, an attempt is made to assign a function to the variable x as well. The key difference from the previous vulnerability is that the function is designed to generate a syntax error while still executing code. The use of the escape character \ cancels out the following quotation mark, preventing the function definition from being completed. The redirection operator > redirects output to a file specified afterward.
Despite the syntax error in the function definition's position of =, Bash continues to execute code and, as a result, creates a file named "echo" with the content of the date command output.
Finally, this file is printed to the console using cat echo.
CVE-2014-7186
Another vulnerability, which didn't execute malicious code but was used to carry out DoS attacks by causing memory overflow and application crashes, or other unexpected behavior in Bash [7][8][9].
x=’() { true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF; }’; bash -c :
In the example above, a series of here documents are nested within the function body, but they are never closed with a delimiter. Each <<EOF opens a new document, which typically needs to be closed with the matching delimiter EOF. Everything between these two points is considered the content of the document [10].
The security vulnerability arises from the missing closing delimiters, combined with the deep nesting, causing an Out-Of-Bounds Memory-Access-Error.
CVE-2014-7187
A software crash and subsequent DoS can be caused by an Off-By-One error due to a flaw in the read token word function found in the parse.y file within the Bash source code [11][8][9].
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) > test-script.sh
bash test-script.sh
When using a for loop, the output of echo commands is written to the target file test-script.sh, which is executed afterward. The resulting deeply nested loops can cause Bash to mishandle them, leading to an Off-By-One error in memory access.
This can result in accessing memory outside the allocated range, potentially leading to application crashes.
CVE-2014-6277
Another security vulnerability, in contrast to the previous weaknesses, is related to uninitialized memory usage. This faulty memory access could lead to DoS or the execution of malicious code [12]. A detailed explanation of this issue can be found in a personal blog post [9] by Michał Zalewski.
x="() { y() { _; }; y() { _; } <<‘perl -e ’{print "A"x1000}’‘; }" bash -c :
In this command, after two empty functions y() { _; }, the << operator starts a here document. However, due to the missing delimiter string, the it is not fully terminated. As a result, the here_doc_eof pointer incorrectly points to an invalid string and remains uninitialized. Consequently, Bash could attempt to read from this uninitialized memory that has been manipulated by attackers.
This could result in unexpected behavior such as Arbitrary Code Execution (ACE) or software crashes.
CVE-2014-6278
This more complex security vulnerability allowed attackers to bypass the previously published patches through redirection and parsing errors, ultimately enabling the execution of malicious code [13][9].
x=’() { _; } >_[$($())] { echo vulnerable; id; }’ bash -c :
The expression >_[$($())] uses redirection and array syntax in a way that the Bash parser does not understand. As a result, it falls into a state that it cannot correctly reset after interpreting the nested command substitution $().
Because of this, the following code block { echo vulnerable; id; } is executed without further checks.
Impact and Attack Scenarios
Attack Vectors
The discovery of the Shellshock vulnerabilities has revealed significant implications for the security of information systems. By exploiting the previously mentioned flaws, attackers gain numerous points of attack. Any service or system implementing a vulnerable version of Bash could potentially be compromised.
The following sections describe the most common attack surfaces of this vulnerability and illuminate the specific threats posed to computer systems.
Hypertext Transfer Protocol (HTTP) - via CGI scripts
The exploitation of Shellshock through HTTP via Common Gateway Interface (CGI) scripts was particularly alarming due to the prevalence of CGI in web server configurations [14].
Attackers could send malicious HTTP requests with environment variables containing the modified payload. Common methods for this include, for example, the Referer, Cookie, or User-Agent headers. Since CGI scripts often invoke Bash, these payloads were executed, potentially leading to remote code execution (RCE) [15]. This simple method required no authentication, allowing unmitigated access to the server.
For this reason, web applications that use an outdated Bash version may be vulnerable to Shellshock exploits.
Secure Shell (SSH)
Systems that use SSH mechanisms like ForceCommand or AuthorizedKeysCommand posed another way to exploit the security flaw.
Attackers could make use of it by embedding malicious payload within the SSH command. When the SSH server processed the command, it invoked the Bash shell, leading to the execution of the code. [16]
This form of attack was particularly concerning for systems where SSH is used for secure remote management, as it could bypass standard security measures and grant attackers unauthorized access.
Dynamic Host Configuration Protocol (DHCP)
Exploiting Shellshock through DHCP involved attackers setting up rogue DHCP servers. When a vulnerable system (client), using Bash to process DHCP responses, connected to this server, it would receive maliciously crafted DHCP responses. These responses included environment variables typically designed to perform ACE. [17]
Since DHCP is used for automatically configuring network settings, this attack vector could be employed in any network environment, making it particularly dangerous in public or unsecured Wi-Fi networks.
Network Services and Daemon Scripts
Network services that process email headers, such as Mail Transfer Agents (MTAs), or other services that pass environment variables to Bash scripts, are also potential targets for Shellshock attacks. This could affect any service that handles external data within a Bash environment.
Examples of Attacks
Shellshock was exploited in various notable attacks.
Voting Server in Georgia
A security expert found evidence suggesting a hacker attack on a Georgia voting server before the 2016 and 2018 elections. This incident, potentially exploiting the Shellshock vulnerability from 2014, might have allowed attackers to gain extensive control, alter data, or install malware. The server's vulnerability was not immediately patched, and there's evidence suggesting attackers concealed their activities and erased log data, complicating the investigation. [18]
QNAP NAS Devices
Researchers discovered a computer worm exploiting the Shellshock vulnerability to plant backdoors on network-attached storage (NAS) devices by QNAP. These backdoors bypass security mechanisms, allowing remote access. The worm spread by exploiting a CGI script in QNAP's login process, establishing backdoors, including setting up an SSH server and adding administrative users. Although QNAP released updates, many systems remained vulnerable due to patching difficulties. Similar to the Georgia voting server case, the malware self-patched the Shellshock vulnerability on infected devices to prevent further exploits. [19]
Yahoo! Server
Cybersecurity expert Jonathan Hall discovered that romanian hackers exploited the Shellshock vulnerability to breach Yahoo! servers. They specifically targeted access points to the Yahoo! Games network, which has millions of users. The servers were vulnerable due to using an outdated version of Bash. Yahoo confirmed the incidents, stating they responded with patches and isolated some affected servers. However, at that time, there was no evidence of compromised user data. [20][21]
DDoS Attacks
Within a day of Shellshock's disclosure, attackers exploited the Bash vulnerability to create a botnet named wopbot. This botnet targeted vulnerable servers, launching distributed denial-of-service (DDoS) attacks against Akamai's content delivery network (CDN) servers and attempting to compromise the U.S. Defense Department's network, which includes about 16.7 million IP addresses. While Tiger Security experts partially shut down the botnet's control systems, the botmaster server of wopbot remains operational, continuing to spread malware. [22]
Other Attacks
According to a report by Solutionary’s Security Engineering Research Team (SERT), the Shellshock vulnerability was still being exploited ten months after its disclosure. Despite available protections, many systems remained vulnerable. Nearly 600,000 Shellshock-related events originated from over 25,000 unique IP addresses, mostly trying to identify susceptible systems. The USA, China, Korea, the UK, Germany, and Japan were the top sources of these attacks, with educational institutions being primary targets. Most successful attacks involved downloading and executing Bash scripts, with various attackers, including known botnets, continuing to exploit the vulnerability. [23]
Defense and Mitigation Strategies
Patches and Updates
Rapid development and distribution of patches for each CVE were crucial in mitigating Shellshock. Regular system updates and applying patches are critical for maintaining security.
Best Practices
Adopting best practices, such as minimal installation to reduce attack surfaces, adhering to the principle of least privilege, regular security audits, and employee training, are essential strategies to prevent similar vulnerabilities.
- ↑ Chet Ramey and Brian Fox. Bash Reference Manual, Free Software Foundation, 5.2 edition, 2022.
- ↑ Matthew Broberg. The Birth of the Bash Shell, 2019. Retrieved December 17, 2023.
- ↑ 3.0 3.1 Ben Grubb. Stephane Chazelas: The Man Who Found the Web's 'Most Dangerous' Internet Security Bug, 2014. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-6271 Detail, 2021. Retrieved December 18, 2023.
- ↑ Steven Vaughan-Nichols. Shellshock: Better 'bash' patches now available, 2014. Retrieved December 17, 2023.
- ↑ 6.0 6.1 Prutha Parikh. Bash Shellshock Command Injection Vulnerabilities, 2014. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-7186 Detail, 2018. Retrieved December 17, 2023.
- ↑ 8.0 8.1 Florian Weimer. Non-Upstream Patches for Bash, 2014. Retrieved December 17, 2023.
- ↑ 9.0 9.1 9.2 9.3 Michał Zalewski. Bash Bug: The Other Two RCEs, or How We Chipped Away at the Original Fix (CVE-2014-6277 and '78), 2014. Retrieved December 17, 2023.
- ↑ Mendel Cooper. Advanced Bash-Scripting Guide: Chapter 19. Here Documents, 2014. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-7187 Detail, 2018. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-6277 Detail, 2018. Retrieved December 17, 2023.
- ↑ National Institute of Standards and Technology (NIST). CVE-2014-6278 Detail, 2021. Retrieved December 17, 2023.
- ↑ ricmac. 1993: CGI Scripts and Early Server-Side Web Programming, 2021. Retrieved December 17, 2023.
- ↑ Madhav Mehndiratta. Exploiting a Shellshock Vulnerability, 2020. Retrieved December 17, 2023.
- ↑ Wolfgang Kandek. BASH Shellshock Vulnerability – Update5, 2020. Retrieved December 20, 2023.
- ↑ Tudor Enache. Shellshock Vulnerability, 2014. Retrieved December 17, 2023.
- ↑ Kim Zetter. Georgia Election Systems Could Have Been Hacked Before 2016 Vote, 2020. Retrieved December 17, 2023.
- ↑ Eduard Kovacs. Worm Uses Shellshock to Infect QNAP Network Storage Systems, 2014. Retrieved December 17, 2023.
- ↑ Zachary Davies Boren. html/ Shellshock: Romanian Hackers Are Accessing Yahoo Servers, Claims Security Expert, 2014. Retrieved December 17, 2023.
- ↑ Jonathan Hall. Yahoo! Shellshocked Like Ninja Turtles!, 2014. Retrieved December 17, 2023.
- ↑ Juha Saarinen. First Shellshock Botnet Attacks Akamai, US DoD Networks, 2014. Retrieved December 17, 2023.
- ↑ Eduard Kovacs. Shellshock Flaw Still Actively Exploited: Solutionary, 2015. Retrieved December 17, 2023.