This morning a huge vulnerability was announced. A bug in the BASH terminal program. This bug can be used to set environment variables and compromise machines. Here at Bitronic Technologies we take security seriously and have patched all of our internal servers, shared hosting servers and VPS hypervisor nodes. We are also rolling out patches to our managed VPS customers. If you are an unmanaged customer we high recommend that you update BASH, an update which is available for most Linux distros at this time.

What is the "Shellshock" Bug?

The bug can be used to hack into vulnerable servers. Once inside, attackers could deface websites, steal user data, and engage in other forms of mischief.

There's a good chance that hackers will use the vulnerability to create a worm that automatically spreads from vulnerable machine to vulnerable machine. The result would be a botnet, a network of thousands of compromised machines that operate under the control of a single hacker. These botnets — which are often created in the wake of major vulnerabilities — can be used to send spam, participate in denial-of-service attacks on websites or to steal confidential data.

You can check if your system is vulnerable by running:

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

From SSH. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter. If you are compromised and don't know how to fix it, please contact us immediately.

A very simple example would be a cgi, /var/www/cgi-bin/test.cgi:

echo "Content-type: text/plain"
echo "Hi"

Then call it with wget to swap out the User Agent string. E.g. this will show the contents of /etc/passwd:

wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd"
To break it down:

"() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd"
Looks like:

() {
echo \"Content-type: text/plain\"
/bin/cat /etc/passwd

The problem is that while it's okay to define a function in an environment variable, bash is not supposed to execute the code after it.

The extra "Content-type:" is only for illustration. It prevents the 500 error and shows the contents of the file.

The above example also shows how it's not a problem of programming errors, even normally safe and harmless bash cgi which doesn't even take user input can be exploited.

What does this mean?

It means that it is imperative to patch BASH to the latest version immediately as the exploits are already propagating through the internet. We have already patched the services listed above. But if you have an unmanaged VPS or dedicated server it is imperative that you patch it.

Friday, September 26, 2014

« Back