Everything you need to know about Bash Bug "ShellShock"


A new critical security vulnerability in the BASH shell, the command-line shell used in many Unix and Linux operating systems, leaves a large number of systems at security risk. The bug also affects Mac OS X.

CVE Number: CVE-2014-6271

Technical Details: 

Here is technical details of the vulnerability, posted by Florian Weimer in Seclists:

"Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes.  Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment.

The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.  For example, an environment variable setting of

  VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.) "

Proof of Concept:
env e='() { Ignored; }; echo Vulnerable' bash -c "echo Hello"

Running the above command in Linux Terminal prints "vulnerable" and "Hello".So what exactly is happening here.

The 'env' command used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment.

Here, the utility is 'bash' that executes the 'echo hello' command - and the environment variable 'e' is imported into the 'bash' process.

The bash shell process the function definition "() { Ignored; };"and then executes the "echo vulnerable" command.

* You can use the above POC code to test whether your system is vulnerable or not.

Real world Attack Scenario:

CGI stores the HTTP headers in environment variables. Let's say the example.com is running a CGI application written in Bash script.

We can modify the HTTP headers such that it will exploit the shellshock vulnerability in the target server and executes our code.

POC:

curl -k http://example.com/cgi-bin/test -H "User-Agent: () { :;}; echo Hacked > /tmp/Hacked.txt"
Here, the curl is sending request to the target website with the User-Agent containing the exploit code.  This code will create a file "Hacked.txt" in the "/tmp" directory of the server.

Who should be worried?
An attacker needs to send a malicious environment variable to an application that interacting with the Internet and this application should have either written in Bash or execute bash script within the app. So, Normal Desktop users are likely not affected by this bug.

However, if you are admin of a website and running CGI app written in BASH or using Bash script, You should be worried.

Metasploit Module:

A Metasploit Module has been released that exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.

You can find the module here.

Malware:
Cyber Criminals are already started to exploit this vulnerability for the malicious purpose.  A malware(ELF format) named as 'Linux/Bash0day', found by @yinettesys.

"Cybercriminals exploit bash 0day to get the ELF malware into web servers. ELF scans routers IP and sends exploit busybox to hack routers and doing DDoS." Malware Must Die who analyzed the malware told EHN.

"If exploit busybox hits the target, they will try to gain shell /bin/sh & brute the default login/passwords commonly used by routers"


Strings contained in the Malware sample

At the time of writing, the detection ratio in Virustotal is 0/55.

You can find the malware sample and more details of the malware at KernelMode website.

Wormable:
Robert Graham of Errata Security says the bug is wormable.  He wrote a script that scans the Internet and finds the vulnerable machines. So far, he found nearly 3,000 vulnerable systems on port 80.

"Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems." Graham wrote in his blog post.

DHCP RCE Proof of Concept:
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/


ModSecurity Rules:
RedHat has posted several mod_security rules that helps to prevent the attack:

Request Header values:

SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

SERVER_PROTOCOL values:

SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST names:

SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST values:

SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

File names for uploads:

SecRule  FILES_NAMES "^\(\) {"  "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271  - Bash Attack'" 
Patch:
A Patch has been released which ensures that no code is allowed after the end of a Bash function.  If you try to run the exploit code after applying the patch, you will get the following error message:



Unfortunately, the patch is incomplete, it still can be bypassed.  There is a workaround here, but it is not advisable. "CVE-2014-7169" has been assigned for the incomplete fix.

If you think we missed any information, feel free to comment here, we will add it to the article.

---------------------------------

Additional details:
This details isn't for you if you already know how export functions,'env' commands work :

Bash Export function-definition feature: 



Defining a function in Bash script:

       hello(){ echo "Hello World";}

Calling function in Bash script:
   hello

Create a child bash process and call our user-defined function:
bash -c hello

It won't work, because the child bash process doesn't aware that there is user-defined function called "hello". So, what to do?! Let us add the 'hello' function to the environment variable with Export command:

export -f hello

This will export the 'hello' function to the child process.  Let's try to create the child bash process again:

bash -c hello

Now the function is called without a problem.


We can achieve the samething in a single line with 'env' command. Let me first explain what 'env' command does.



'env':


The 'env' command used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment.

Let's try to print environment variables with bash(creating child process):

bash -c printenv



The above command will print environment variables. Using 'env' command, you can pass a temporary environment variables to the child process:

env e="hello" bash -c printenv


Now, If you check the printed environment variables, you can find the "e='hello" in the result :)

Function passing with env command:

env hello='() { echo Hello World;};' bash -c hello

Vulnerability in Android default browser allows attackers to hijack Sessions


A Serious vulnerability has been discovered in the Android default browser(AOSP) that allows a malicious website to bypass "Same Origin Policy(SOP)" and steal user's data from other websites opened in other tabs. AOSP browser is the default browser in Android versions older than 4.4. 

What is Same Origin Policy?
SOP plays an important role in the Web Security, restricts a website from accessing scripts and data stored by other websites.  For example, the policy restricts a site 'Y' from accessing the cookies stored by site 'X' in user's browser.

Same Origin Policy Bypass:
Rafay Baloch, a security researcher, found a security flaw in the "Same Origin Policy" system used by the AOSP browser.  The bug allows the website 'Y' to access the scripts and user's data stored by website 'Y'.

Imagine You are visiting attacker's website while your webmail is opened in another tab, the attacker is now able to steal your email data or he can steal your cookies and could use it to compromise your mail account.

Proof of Concept:
<iframe name="test" src="http://www.example.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.domain)','test')" >


"Its because when the parser encounters the null bytes, it thinks that the string has been terminated, however it hasn't been, which in my opinion leads the rest of the statement being executed." Rafay said in his blog.

Metasploit Module:
Rafay published the poc on his blog in August.  However, it remained largely unnoticed until rapid7 released a metasploit module that exploits the vulnerability.
http://www.rapid7.com/db/modules/auxiliary/gather/android_stock_browser_uxss

This browser also known for the remote code execution vulnerability, has been discontinued by Google. But older versions of Android do come with this browser.

What you should do?
Stop using the default android browser, Use Google Chrome or Mozilla.

Bug in Joomla! Extension VirtueMart allows hacker to gain Super Admin access

Security researchers at Sucuri found a critical security vulnerability in  VirtueMart, a popular e-commerce extension for the Joomla which has been downloaded more than 3.5 million times.

The vulnerability allows a malicious user to easily gain super admin privilege. With the Super Admin access, the hacker has full control of the website.

Sucuri removed the technical details about the bug after receiving a request from the developer of VirtueMart.

"VirtueMart uses Joomla’s JUser class “bind” and “save” methods to handle user accounts information. That’s not a problem in it of itself, but this class is very tricky and easy to make mistakes with." Researcher wrote in Sucuri's blog post.

VirtueMart has claimed the bug is in Joomla. Researchers at Sucuri also believe the problem is on the Joomla class itself. However, few Joomla experts disagree with the VirtueMart and Sucuri.

"The vulnerability is in VirtueMart's amateurish use of JUser, not the JUser class itself. JUser is a low level API in Joomla! which expects filtered input." Nicholas Dionysopoulos, a contributer to Joomla Project, posted in a Facebook post.

"The modus operandi of programmatic user account creation in Joomla! is to first filter the input using JInput (typically through JFactory::getApplication()->input, not a new object instance), construct an array with only the keys you need and the pass this to JUser. "


The bug was discovered last week and have been fixed in the latest version of VirtueMart(v2.6.10).

Security Vulnerability in Android allows any app to make phone calls

An application normally needs permission and should alert user that it needs permission to make phone call, when it is being installed.

Researchers at Security firm CureSec has discovered a security flaw in the Android system that allows malicious applications to initiate unauthorized phone calls. 

By exploiting this vulnerability, malicious apps can make phone calls to premium-rated numbers and terminate any outgoing calls.  It is also capable of sending Unstructured Supplementary Service Data (USSD) codes that can be used for enabling call forwarding, blocking your sim cards and so on.

The security bug appears to be introduced in Android Jelly bean 4.1.1  and it exits in all latest versions through Android Kitkat 4.4.2.

CureSec has also released a source code and proof-of-concept application to demonstrate the existence of vulnerability.

The bug has been fixed in the latest version of android (v4.4.4).

Bug in GnuTLS allows hackers to run malicious code in Your Linux

Another major security vulnerability has been discovered in the popular cryptographic Library 'GnuTLS' that leaves Linux vulnerable to remote code execution.

GNUTLS is a free library implementing Secure Socket Layer(SSL), Transport Layer Security (TLS) and Datagram Transport Layer Security(DTLS) protocols which are used to offer secure communications.
 
"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake." an entry posted on the Red Hat Bug Tracker reads.

Flaw: The read_server_hello function checks only whether the length of the Session ID does not exceed incoming packet size but it fails to ensure it doesn't exceed maximum length of Session ID.

A malicious server could exploit this vulnerability by sending a very long Session ID value and run a malicious code in "a connecting TLS/SSL client using GnuTLS".

In March, a different vulnerability was patched in GnuTLS Library that could have allowed attackers "to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker"

I've updated my Linux, Did you?

Update your Adobe flash player to stay safe


Few days after Microsoft published a security advisory about a new critical security bug in IE that is being used in limited and targeted attacks, Adobe has issued an emergency security update to fix a critical vulnerability(CVE-2014-0515) in flash player.

Please note that it is completely unrelated to IE Exploit in which bug was in IE and the flash file(.swf) used for making the attack successful.  But, in this case, the bug exists in the flash player plugin. 

So, people who use vulnerable version of Adobe Flash player likely to be vulnerable to this attack.

If you are using windows or Mac, make sure you have the latest flash player version 13.0.0.206.  If you are using Linux, make sure to update to the latest version 11.2.202.356.

This new zero-day flash exploit was spotted as being used in Watering-hole attacks by researchers at Kaspersky Labs in early April.

According to SecureList, this flash exploit spread from a Syrian Justice Ministry website(jpic.gov.sy).  Researchers believe the attack was designed to compromise the computers of Syrian dissidents complaining about the government.