Shellshock (vulnerability)

from Wikipedia, the free encyclopedia
Shellshock logo used by Fedora Magazine

Shellshock is a vulnerability - or family of vulnerabilities, CVE numbers CVE-2014-6271,… -7169, -7186, -7187, -6277, -6278 - in the Unix shell bash . In Bash, the value of a string n variables can contain a function definition. Because of the security gap, program code can be executed without checking after evaluating such a variable . The first discovery (CVE-2014-6271) was made public on September 24, 2014. In the NISTThe rating used for the damage potential is given a rating of 10, the maximum. The first patch was released on the same day , but security experts from Google Inc. and Red Hat (Tavis Ormandy, Michał Zalewski, Florian Weimer) soon found similar holes that were given their own CVE numbers and "survived" the first patch. In the meantime (as of November 3, 2014) there are apparently no more complaints about the patches at hand; the last error variant was published by NIST on September 30, 2014.

Problem

The vulnerability affects Bash versions between 1.03 and 4.3, which are often used under GNU / Linux , macOS or other Unix-based operating systems. Shellshock is also said to be particularly problematic because numerous web servers use Bash to execute CGI scripts.

The security gap can be exploited if variables can be set which are then evaluated by a Bash with higher rights. Examples are:

  • Web server: CGI scripts that call Bash as a web server could execute arbitrary code.
  • Secure Shell : Users whose rights are limited to the execution of certain commands can circumvent this restriction.
  • DHCP : When connected to a malicious DHCP server, an attacker could execute arbitrary code on the DHCP client.
  • The CUPS print service could be used by legitimate users to execute any code.
  • Session Initiation Protocol (SIP ) proxies can be vulnerable to shell shock.
  • The IBM Hardware Management Console , a rudimentary Linux variant for administrators of IBM systems, allows you to “break out” of the “restricted shell” in order to call up bash , after which you have full control over the system.

Hundreds of millions of computers are said to be affected worldwide. Researchers believe the vulnerability is more serious than the Heartbleed bug. Shellshock was discovered by Stéphane Chazelas and has existed in Bash since 1989.

On October 6, it was reported that servers from Yahoo , WinZip and Lycos had been affected by Shellshock. Jonathan Hall gained access to Winzip's servers, where he found malware that connected to Yahoo and Lycos servers. The next day, this was put into perspective, especially with regard to the statement that Shellshock was the cause of the alleged vulnerability .

Check for vulnerability

Bash version

The vulnerability of the shell (due to the first error variant CVE-2014-6271 ) can be tested by entering the following on the command line . In the case of a vulnerable shell, the sequence runs 

env x='() { :;}; echo shellshockverwundbar' bash -c ""

to output shellshockverwundbarwhile a protected system outputs nothing or error messages.

The episode tests whether the system also has a patch for (the second error variant ) CVE-2014-7169

env X='() { (a)=>\' sh -c "echo date"; cat echo

With a vulnerable shell you can see a timestamp as output: 

date
Fr 26. Sep 13:00:00 CEST 2014

If the shell is protected against this, you get this output: 

date
cat: echo: Datei oder Verzeichnis nicht gefunden

server

To check whether a server is e.g. B. has already been attacked via CGI scripts, look for sample entries - for example in the form of the string “ }; "- as in the following example (" 0.0.0.0 "stands for an IP address ): 

0.0.0.0 - - [29/Sep/2014:09:12:11 +0300] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 2311 "-" "() { :;'''};''' /bin/ping -c 1 0.0.0.0"

Technical background

Bash allows you to define variables and functions that can be used in the respective Bash instance or within the current Bash script. In addition, if a Bash instance "creates" another Bash instance (called as a child process ), the latter can "inherit" both variables and functions. To do this, the name of the variable or function must be exportpreceded by the keyword (or envfor environment when called).

The export of variables and functions takes place via environment variables . Since environment variables can only record simple key-value pairs (key: variable name , value: variable value ), functions must be coded as a string when exporting . Bash uses special environment variables for function definitions. Their content begins with the character string " () ". After the start, Bash checks every available environment variable for function definitions. For every function definition found, a corresponding function is automatically created in the current Bash instance.

The bug affects the parsing of the function definitions. This allows additional code to be added to the actual function definition, which Bash executes immediately and unchecked when parsing the corresponding environment variable - even if the corresponding function is never called. An attacker only needs to be able to set environment variables in order to smuggle executable code into the respective Bash instance. This is the case with CGI applications, among other things , since here the call parameters that are controlled by the client are also transferred in the form of environment variables .

Example: Exporting a function in Bash

The following command sequence exports the "myfunc" function, which leads to the creation of a corresponding environment variable: 

#Funktion definieren
myfunc () { echo "Hello world!"; }

#exportieren
export -f myfunc

#Umgebungsvariablen ausgeben
printenv

Output: 

# [...]
myfunc=() { echo "Hello world!"
}

Example: Exploiting the “Shellshock” loophole

The first command line under Checking for Vulnerabilities above starts a new Bash instance, whereby envthe environment variable x is set to the value using the command () { :;}; echo shellshockverwundbar. The actual function () { :;}definition is also followed by the (harmless) command echo shellshockverwundbar.
A vulnerable version of bash starts the attached command unchecked and prints the text shellshockverwundbaron the console.
A potential attacker can use Bash to execute arbitrary commands in the same way .

Temporal sequence of the error variants

exact sequence CVE flag Explorer Announcement (2014) NIST publication (2014) Bash patch mark
1. CVE-2014-6271 Stéphane Chazelas 12th September September 24th bash43-025
2. CVE-2014-7169 Tavis Ormandy September 24th September 24th bash43-026
3. CVE-2014-7186 Todd Sabin, Florian Weimer 25th of September  September 28th bash43-027
4th CVE-2014-7187 Florian Weimer September 27th  September 28th
5. CVE-2014-6277 Michał Zalewski    September 27th  September 27th
6th CVE-2014-6278 Michał Zalewski September 29th 30. September 

The error variants refer to different patch versions of Bash 4.3:

  • CVE-2014-6271 (September 12-24 ) is a Bash 4.3 vulnerability in the bash43-024 patch.
  • CVE-2014-7169 (September 24th) is a Bash 4.3 vulnerability in patch version bash43-025 (and bash43-024).
  • The other variants with NIST release from September 27th are vulnerabilities of Bash 4.3 in the patch version bash43-026 (and older).

The patches of the maintainer Chet Ramey indicated in the table were intended directly and explicitly as patches of the errors mentioned in the respective line.

The names of the discoverers can be used to identify the vulnerabilities in e-mails / postings / articles that preceded the entry in the National Vulnerability Database of the NIST and assigned a label.

Patches

Source code

The maintainer of Bash, Chet Ramey, initially sent a patch version bash43-025 to Bash version 4.3 CVE-2014-6271 to support distributions until the vulnerability was published on September 24th. CVE-2014-7169 was followed by bash43-026 on the same day. For CVE-2014-7186 the following day, Florian Weimer from Red Hat initially posted a patch "privately" that Ramey adopted as bash43-027. This helped those who were able to compile a new executable binary from Bash with the rest of the source code files .

Linux

Updates - new packages , instructions, notes - for Linux distributions such as Red Hat Enterprise Linux (commercial), Fedora 21 (free Red Hat Linux), long-term support - appeared from Friday to Sunday after the release of bash43-027 Versions of Ubuntu and for SUSE Linux Enterprise.

Users of the regular automatic update notification of their distribution received a repaired bash more or less automatically. Otherwise the bash package can be updated specifically.

Mac OS X

Versions 10.7-10.10

For Mac OS X, Apple released a patch for OS X 10.9 Mavericks , OS X 10.8 Mountain Lion and OS X 10.7 Lion on September 29, 2014 , which closes the security gap, OS X 10.10 Yosemite has been a day since the public beta version 4 later also secured and prevents the unauthorized execution of malicious code.

Older versions

Older OS X versions are no longer patched by Apple, but the bash file can be replaced with an updated version on older systems.

IBM

IBM is offering a patch for its Hardware Management Console that will fix all six holes discovered in September 2014.

"Sustainability"

Even after the updates based on bash43-027 were released, further Shellshock variants were discovered or published, most recently CVE-2014-6278 on September 29 and 30 by Michał Zalewski from Google Inc. On October 1, 2014, however, Zalewski declared ( next to his finds) that Florian Weimer's patch from September 25th, which was received in bash43-027, also closes the gaps found later.

Web links

Individual evidence

  1. a b c Vulnerability Summary for CVE-2014-6271. In: National Vulnerability Database. NIST , October 31, 2014, accessed November 2, 2014 .
  2. a b c Hanno Böck: More and more gaps in Bash. In: Golem - IT news for professionals. September 27, 2014, accessed September 27, 2014 .
  3. a b c d Vulnerability Summary for CVE-2014-6278. In: National Vulnerability Database. NIST , October 31, 2014, accessed November 2, 2014 .
  4. Bash vulnerability - The background to Shellshock. In: Golem - IT news for professionals. September 24, 2014, accessed September 26, 2014 .
  5. Florian Weimer: oss-sec: Re: CVE-2014-6271: remote code execution through bash. In: Seclists.org. September 24, 2014, accessed November 1, 2014 .
  6. a b c Vulnerability Summary for CVE-2014-7169. In: National Vulnerability Database. NIST , October 31, 2014, accessed November 2, 2014 .
  7. a b Michał Zalewski: Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78). In: lcamtuf blog. October 1, 2014, accessed October 31, 2014 .
  8. a b c Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169). Red Hat , October 2, 2014; accessed November 1, 2014 .
  9. a b Stéphane Chazelas, Chet Ramey: when was shellshock introduced. In: Gmane . October 10, 2014, accessed November 1, 2014 .
  10. Hanno Böck: Shellshock vulnerability endangers server. In: Zeit Online. September 25, 2014, accessed September 26, 2014 .
  11. Lefteris Zafiris: sipshock - A scanner for SIP proxies vulnerable to Shellshock. In: GitHub . Retrieved September 29, 2014 .
  12. shellshock.png - Brian Smith on IBM.com, accessed November 3, 2014.
  13. a b Security Bulletin: Vulnerabilities in Bash affect DS8000 HMC (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278). IBM , October 3, 2014, accessed November 1, 2014 .
  14. Shellshock (software bug) in the English language Wikipedia.
  15. Dave Lee: Shellshock: 'Deadly Serious' new vulnerability found. In: BBC . September 25, 2014, accessed September 26, 2014 .
  16. Tom Fox-Brewster: What is the Shellshock bug? Is it worse than Heartbleed? In: The Guardian . September 25, 2014, accessed September 26, 2014 .
  17. Florian Weimer: CVE-2014-6271: remote code execution through bash. In: Seclists.org. September 24, 2014, accessed September 26, 2014 .
  18. Hanno Böck: Yahoo attacked by Shellshock. In: Golem - IT news for professionals. October 7, 2014, accessed October 30, 2014 .
  19. Nicole Perlroth: Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant. In: New York Times . September 25, 2014, accessed November 1, 2014 .
  20. a b BASH PATCH REPORT. In: GNU.org . September 12, 2014, accessed November 2, 2014 .
  21. Tavis Ormandy: The bash patch seems incomplete. Twitter, September 24, 2014, accessed November 1, 2014 .
  22. a b BASH PATCH REPORT. In: GNU.org . September 25, 2014, accessed November 2, 2014 .
  23. Florian Weimer: Non-upstream patches for bash. In: Seclists.org. September 25, 2014, accessed November 3, 2014 .
  24. Florian Weimer: Re: CVE-2014-6271: remote code execution through bash. In: Openwall Project . September 25, 2014, accessed November 2, 2014 .
  25. Vulnerability Summary for CVE-2014-7186. In: National Vulnerability Database. NIST , October 31, 2014, accessed November 2, 2014 .
  26. a b BASH PATCH REPORT. In: GNU.org . September 25, 2014, accessed November 2, 2014 .
  27. a b c d Michał Zalewski: Bash bug: apply Florian's patch now (CVE-2014-6277 and CVE-2014-6278). In: lcamtuf blog. September 27, 2014, accessed November 3, 2014 .
  28. Vulnerability Summary for CVE-2014-7187. In: National Vulnerability Database. NIST , October 31, 2014, accessed November 2, 2014 .
  29. Vulnerability Summary for CVE-2014-6277. In: National Vulnerability Database. NIST , October 31, 2014, accessed November 2, 2014 .
  30. Hanno Böck: More and more gaps in Bash. In: Golem - IT news for professionals. September 29, 2014, accessed November 3, 2014 . (Addendum)
  31. Florian Weimer: Re: CVE-2014-6271: remote code execution through bash. In: Openwall Project . September 25, 2014, accessed November 2, 2014 .
  32. Sean Gallagher: New “Shellshock” patch rushed out to resolve gaps in first fix [Updated]. September 26, 2014, accessed November 2, 2014 .
  33. Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169). Red Hat, October 2, 2014, accessed November 2, 2014 .
  34. Fedora 21 Update: bash-4.3.25-2.fc21. Fedora Project , September 27, 2014, accessed November 2, 2014 .
  35. USN-2364-1: Bash vulnerabilities. Canonical Ltd. , September 27, 2014, accessed on November 2, 2014 .
  36. SUSE Security Update: Security update for bash. OpenSUSE , September 28, 2014, accessed November 2, 2014 .
  37. July Clover: Apple Releases OS X Bash Update to Fix 'Shellshock' Security Flaw in Mavericks, Mountain Lion, and Lion. In: MacRumors.com. September 29, 2014, accessed on October 2, 2014 (English): "Apple today released OS X bash update 1.0 for OS X Mavericks to fix a vulnerability in the bash UNIX shell."
  38. Eric Slivka: Apple Releases OS X Yosemite Golden Master Candidate to Developers [Update: Also Public Beta]. In: MacRumors.com. September 30, 2014, accessed on October 2, 2014 (English): “Both the developer and public beta releases include the fix for the“ Shellshock ”bash security flaw. Apple released fixes for OS X Mavericks, Mountain Lion, and Lion yesterday. "
  39. TenFourFox Development : Bashing bash one more time: updated universal 4.3.26 ^ W4.3.27 ^ W4.3.28 covering all known bash flaws. October 5, 2014, accessed on November 1, 2014 (English): "Bashing bash one more time."
  40. Juha Saarinen: Further flaws render Shellshock patch ineffective. In: itnews.com.au. September 29, 2014, accessed November 2, 2014 .