The Shellshock Vulnerability and How To Combat It

I’m probably starting to show my age, but when I hear the word “Shellshock,” the first thing I think of is the old Teenage Mutant Ninja Turtles cartoons.  But unfortunately, the Shellshock we are talking about has nothing to do with pizza-loving reptiles, and everything to do with a gaping security hole affecting many of your Internet-connected devices.  Here’s what Shellshock (a.k.a. the “Bash bug”) is all about, and why you should care:

What is it?

There are a few terms and technologies contributing to the Shellshock nickname.  First up is Bash, which is a command-line interface used in Mac, Linux, and many other operating systems and devices.  This interface, often referred to as accessing the “shell,” can be used to enter commands to perform various actions on a system, such as editing files, running tools, or initiating a restart or shutdown.

The heart of the Shellshock problem is that when these Bash commands are tweaked for potentially malicious purposes, really really really bad stuff can happen all across the Internet.

I Don’t Run Macs or Linux, Can I Stop Reading Now?

No–please don’t! 

This still matters to you.  You may not directly run these operating systems on the machines you use every day, but Linux is everywhere.  It could be found on video cameras, routers, and other devices on your home or work network, and is prevalent on thousands and thousands of Web servers scattered across the Internet.

To understand the seriousness of this issue, we have to get a little nerdy first and look at an example Bash command:

/bin/eject

This simple command, when executed on some Linux servers, will eject the CD drive.  No harm done there, right?

Ok, but what if I could somehow modify that command and, from my comfy office in Waconia, use it to make a server across the Internet eject its CD drive?  Wouldn’t that be cool?  Well, if my target server was vulnerable to Shellshock, I could do exactly that with this command:

curl -H “User-Agent: () { :; }; /bin/eject” http://www.example.com/

Again, this looks like a bunch of gibberish, right?  But when we break it down, here’s essentially what this command is doing: first, it is asking www.example.com to display its Web content, much like it would if you visited www.example.com in a Web browser.  Next, as my computer and the Web site send data back and forth to complete this connection, my computer sends the characters () { :; };

And here’s the bug: the server misinterprets the /bin/eject command as something to ignore or discard, and runs it instead. Wa-lah! The CD tray pops open!

I Don’t Run a Web Server Either

In the example above I used a command which caused a Web server to eject its CD tray. 

Just a silly trick to show friends at parties, right? 

But use your imagination and think of some of the more sinister things I could do with this Shellshock vulnerability. Maybe I could figure out a way to make thousands of these severs attack your corporate network. Or I could craft a command to make the server send me sensitive information it has stored about you, such as your name, address, phone number, password, purchase history, credit card information…the possibilities are endless!

And keep in mind, this vulnerability does not require any advanced skills on my part.  I do not have to steal any usernames or passwords of people who administer these servers, download any special software or take a master’s class in hacking. 

Nope, just a quick Google search and about 10 minutes of my time would be all I needed to start launching attacks on vulnerable servers and potentially do damage to your networks, accounts, and sensitive information. 

And that is why you should be concerned with the Shellshock vulnerability.

So what can I do about it?

If you are running Macs in your environments, check the support article Apple has published about the Bash bug, and download/install the appropriate patch.

On Linux systems, you can usually do a quick Google search for the type of Linux you run and the word “Shellshock” to find articles and instructions containing a fix.  For instance, I run Ubuntu, and by searching for Ubuntu Shellshock I was treated to this nice article which walks me through patching the bug.

Don’t stop here.  In your home or corporate network, you need to check other devices that may be vulnerable, such as video cameras, routers and backup devices.  Tripwire offers a free tool to scan up to 100 internal IP addresses for free.  Depending on what devices are identified as being vulnerable, head to that vendor’s Web site and search for any knowledge base articles or updates that might be available.

If you are concerned about the Shellshock vulnerability on your servers that are accessible via the Internet, this tool can help you test them.

Conclusion

The Shellshock vulnerability is a big deal. Even though it’s an older vulnerability, the fact is that many companies still run older systems, forget to patch, etc. If this is you, it’s still possible that you’re susceptible to this.

For assistance with Shellshock vulnerability (or any other vulnerability) management, patching, and scanning, visit frsecure.com to learn more.


Incident Response Plan Template

FRSecure on FacebookFRSecure on LinkedinFRSecure on TwitterFRSecure on Youtube
FRSecure
FRSecure is a full-service information security management company that protects sensitive, confidential business information from unauthorized access, disclosure, distribution and destruction.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *