Shellshock a k a Bashdoor Bash bug Bruce
Shellshock a. k. a. Bashdoor / Bash bug Bruce Maggs
Bash Shell • “Bourne Again SHell”, released June 7, 1989. • Unix shell providing built-in commands such as cd, pwd, echo, exec • Platform for executing programs • Can be scripted 2
Environment Variables Environment variables can be set in the Bash shell, and are passed on to programs executed from Bash export VARNAME=″value″ (use printenv to list environment variables) 3
Environment variable settings in cygwin Bash shell listed using printenv 4
Stored Bash Shell Script An executable text file that begins with #!program Tells bash to pass the rest of the file to program to be executed. Example (pass a list of commands to bash itself): #!/bin/bash export STR="Hello World!" echo $STR 5
Hello World! Example 6
Dynamic Web Content Generation Web server receives an HTTP request from a user. Application server runs a program to generate a response to the request. Program output is sent to the browser. 7
Common Gateway Interface (CGI) Oldest method of generating dynamic Web content (circa 1993, NCSA) Operator of a web server designates a directory, typically cgi-bin to hold scripts (typically PERL) that can be run on HTTP GET, PUT, or POST requests to generate output to be sent to browser. Example URL that runs script on GET: http: //example. com/cgi-bin/printenv. pl
CGI Input http: //example. com/cgi-bin/ printenv. pl/foo/bar? var 1=value 1&var 2=with%20 percent%20 encoding PATH_INFO environment variable holds any path that appears in the HTTP request after the script name: /foo/bar QUERY_STRING holds key=value pairs that appear after ? (question mark): var 1=value 1&var 2=with%20 percent%20 encoding Most HTTP headers also passed as environment variables In case of PUT or POST, user-submitted data provided to script via standard input 9
CGI Output Anything the script writes to standard output (e. g. , HTML content) is sent to the browser. 10
Example Script (Wikipedia) Bash script that evokes PERL to print out environment variables #!/usr/bin/perl print "Content-type: text/plainrn"; for my $var ( sort keys %ENV ) { printf "%s = "%s"rn", $var, $ENV{$var}; } Put in file /usr/local/apache/htdocs/cgi-bin/printenv. pl Accessed via http: //example. com/cgi-bin/printenv. pl 11
Windows Web Server Running cygwin http: //example. com/cgi-bin/ printenv. pl/foo/bar? var 1=value 1&var 2=with%20 percent%20 encoding DOCUMENT_ROOT="C: /Program Files (x 86)/Apache Software Foundation/Apache 2. 2/htdocs" GATEWAY_INTERFACE="CGI/1. 1“ HOME="/home/SYSTEM" HTTP_ACCEPT="text/html, application/xhtml+xml, application/xml; q=0. 9, */*; q=0. 8 "HTTP_ACCEPT_CHARSET="ISO-8859 -1, utf-8; q=0. 7, *; q=0. 7" HTTP_ACCEPT_ENCODING="gzip, deflate" HTTP_ACCEPT_LANGUAGE="en-us, en; q=0. 5" HTTP_CONNECTION="keep-alive" HTTP_HOST="example. com" HTTP_USER_AGENT="Mozilla/5. 0 (Windows NT 6. 1; WOW 64; rv: 5. 0) Gecko/20100101 Firefox/5. 0" PATH="/home/SYSTEM/bin: /cygdrive/c/progra~2/php: /cygdrive/c/windows/sys tem 32: . . . “ PATH_INFO="/foo/bar" QUERY_STRING="var 1=value 1&var 2=with%20 percent%20 encoding" 12
Defining Functions in Environment Variables Function (i. e. , command script) definitions can be stored in Bash as environment variables whose values begin with () $ export say_hello=′ () {echo hello}′; $ bash $ say_hello $ hello When a new bash shell starts, inherited environment variables are scanned for function definitions, and a command is executed to install each new function. 13
Shellshock Vulnerability Disclosed September 24, 2014. Error in environment variable parser/executer causes “garbage” characters after function definition to be executed during installation. Vulnerability has been present since version 1. 03 of Bash, which was released in September 1989. 14
Shellshock Vulernability Test env x = ’() { : ; }; echo vulnerable’ bash –c echo this is a test • env command sets an environment variable x and then runs another command bash –c echo this is a test • • • with that environment variable set bash –c starts a new shell then runs the command listed after –c (which is echo this is a test) The new bash shell inherits the environment variable x, and evaluates it before running the command In installing the new function x, new bash shell erroneously executes ’echo vulnerable’ 15
Cygwin Bash Shell Shows Vulnerability Exact syntax matters! 16
Alternatively 17
Another Alternative 18
Crux of the Problem • Any environment variable value can • contain a function definition with extraneous trailing characters that the Bash parser will execute before it runs a program. Environment variables can be inherited from other parties, who can thus inject code that Bash will execute. 19
Bash Source Code - Error CVE-2014 -6271 Each environment variable string is parsed and executed. Flags SEVAL_NONINT and SEVAL_NOHIST are passed to the function. 20
Generic function for parsing and executing commands 21
Patch When setting environment variables, function parse_and_execute is now told to only allow a single command, which must be a function definition. 22
Web Server Exploit Send a web server an HTTP request for a script with an HTTP header such as USER-AGENT to () { : ; }; rm *. * Before the Bash shell runs the script it will evaluate the environment variable HTTP_USER_AGENT and run the rm command 23
Purported Wop. Bot Attack on Akamai There have been news reports indicating that Akamai was a target of a recent Shell. Shock-related Bot. Net attack. (See information about Wop. Bot). Akamai did observe DDOS commands being sent to a IRCcontrolled botnet to attack us, although the scale of the attack was insufficient to trigger an incident or need for remediation. Akamai was not compromised, nor were its customers inconvenienced. We receive numerous attacks on a daily basis with little or no impact to our customers or the services we offer. https: //blogs. akamai. com/security/ 24
- Slides: 24