Bash bug: Shellshocked yet? You will be ... when this goes WORM

Much of the impact of the Shellshock vulnerability is unknown and will surface in the coming months as researchers, admins and attackers (natch) find new avenues of exploitation.

The vulnerability, called Shellshock by researcher Robert Graham, existed in the Bash command interpreter up to version 4.3 and affected scores of servers, home computers and embedded devices.

While Australian consultants and security firms were examining the impact of the flaw to advise their clients, the existence of the flaw came as no surprise for some.

"To be honest it came as a complete lack of surprise to me," Assurance.com.au director and veteran Unix-hand Neal Wise said. "The use of shells for CGI was discouraged since the mid 90s."

"There will be a period of discovery where we find that this thing or that thing that we rely on in our code is vulnerable.

"So if you didn't build [a given platform] yourself, you need to get your vendor to confirm that they aren't affected."

The two-decade old bug existed in the handling of environment variables in Bash caused by the execution of trailing code in a function definition when a function is assigned to a variable.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

- NIST

Securus Global director Drazen Drazic said the bg opened interesting exploitation avenues.

"I think this bug opens up a variety of interesting niche exploitation scenarios, depending on what an attacker is trying to get into," Drazen said, noting that there were "a lot worse things out there with a lot lower barriers to exploitation".

He said admins should consult patches already released from vendors.

The number of affected systems that a given enterprise could be running was largely unknown at present, and Wise said administrators should ask their vendors to investigate the impact and address any exposures.

Researcher Robert Graham has so far dug up 3,000 vulnerable systems by scanning port 80 on the root URL, and said the bug was "clearly wormable".

His figures should increase quickly since that only one in 50 web servers respond correctly without the proper Host field.

"Scanning with the correct domain names would lead to a lot more results -- about 50 times more," Graham writes.

Graham adds: "Secondly, it's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi). Getting just the root page is the thing least likely to be vulnerable. Spidering the site, and testing well-known CGI scripts (like the CPanel one) would give a lot more results, at least 10x [more]."

He also writes that embedded web servers on odd ports "are the real danger" as well other services like the DHCP service reported in the initial advisory.

"Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems," Graham said.

"One key question is whether Mac OS X and iPhone DHCP service is vulnerable – once the worm gets behind a firewall and runs a hostile DHCP server, that would 'game over' for large networks."

He agrees Shellshock was more severe than the OpenSSL HeartBleed vulnerability reported in April and warned that while primary servers were likely not vulnerable, "everything else probably is".

"Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can't be patched, you are likely screwed." ®