Tag Archives: myths

ShellShock Shock

Posted on by 0 comment

With all the hype on shellshock I thought I’d write something up, try some hacks, find some examples.

In essence I see shell shock as a command injection vulnerability which I cannot see being anywhere near as bad as heartbleed and I’ll explain my reasoning throughout this post.

Vulnerable:
So from all the reading I’ve done most bash versions prior to being patched for ShellShock are vulnerable and will loose out when given the standard test
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
also from what I’ve read most versions of BusyBox are not included.

So now we know what is vulnerable lets have a look at what’s exploitable; and what’s exploitable remotely.

According to the redhat blog https://access.redhat.com/articles/1200223

The exploitable services are most likely:

  • httpd
  • Secure Shell (SSH)
  • dhclient
  • CUPS
  • sudo
  • Firefox
  • Postfix

 

So now lets look at the possibly remotely exploitable set.

  • httpd
  • Secure Shell (SSH)
  • dhclient
  • CUPS
  • Postfix

 

Now this list is still somewhat deceptive, SSH sounds remotely exploitable but in reality you need to be authenticated first so we can take that out of the list. dhclient this will provide much fun especially at SANS conferences and such when everyone is using kali liveCDs but dhcp isn’t really an internet protocol so we can rule that one out for this purpose. And we can put CUPS in a similar drawer, we could create a maliciously named printer but according to the redhat blog it would be a small set of conditions but no-one uses CUPS over the internet. Lastly postfix in my opinion it would just be bad programming to let your email server set system variables and the redhat blog tends to agree.  I actually run nginx on this blog and haven’t found any exploits referencing I did find this release by the nginx team(http://nginx.com/blog/nginx-cve-2014-6271-bash-advisory/) which ultimately leaves HTTPD/Apache.

Now according to the redhat blog mod_php, mod_perl, and mod_python are unaffected I have also tested mod_fastCGI and couldn’t get an exploit, so this leaves the standard mod_CGI. So we’ve cut our list down from ~90% of vulnerable targets to just those exploitable targets running antiquated mod_CGI pages. So although the vulnerability was more widespread than heartbleed the exploitability definitely is nowhere near it, even though the damage can be much worse.

 

And just because we’re still phishing for logos for ShellShock I’d like to propose a blue koopa shell from Mario;

MKwii_Blueshell