Friday, September 26, 2014

Shellshock - Awful.

Quick post:

This is bad.

This is really bad.

I'd been playing with it yesterday before it hit the media and was fascinated. Tonight, I got some time to really dig in and see what it was capable of.

***I will not be releasing what I did, specifically or how I did it. It's out there, pretty easily found and it's unwise to publish something this powerful without vendor patches ready to fire. It's stupidly easy with the right tools, you can figure it out if you read below and you know what you're looking at. This is a mess of copypasta because I had to prune some of how I executed it and I ran it a few times to ensure it was doing exactly what I wanted it to.

In short:

sh-3.00$ ls -all /etc/passwd
-rw-r--r-- 1 root root 1618 Sep 16 2009 /etc/passwd

sh-3.00$ whoami
sh-3.00$ ls

sh-3.00$ ls /var/www/html

sh-3.00$ ls -all /tmp
drwxrwxrwt 7 root root 4096 Sep 25 15:10 .
  drwxr-xr-x 23 root root 4096 Jan 29 2013 ..
 drwxrwxrwt 2 root root 4096 Jan 29 2013  .ICE-unix
drwxrwxrwt 2 root root 4096 Jan 29 2013  .font-unix
-rwxr-xr-x 1 apache apache 7152 Sep 25 2014 shelled.out
 -rw-r--r-- 1 apache apache 0 Sep 25 15:10 test.txt
-rw-r--r-- 1 apache apache 0 Sep 25 15:10 thisactuallyworked.txt -rw-r--r-- 1 apache apache 0 Sep 25 15:10 thisactuallyworked2.txt drwxr-xr-x 2 root root 4096 Jan 2 2013 vmware-block-insert0 drwxr-xr-x 2 root root 4096 Aug 8 2012 vmware-block-insert1 drwx------ 2 root root 4096 Jan 29 2013 vmware-root
-rwxr-xr-x 1 apache apache 255 Sep 25 15:10
-rw-r--r-- 1 apache apache 255 Sep 25 2014 wget.txt
-rw-r--r-- 1 apache apache 0 Sep 25 15:10 youvebeenshelled

sh-3.00$ ls -all /etc/passwd
-rwxrwxrwx 1 root root 1618 Sep 16 2009 /etc/passwd
sh-3.00$ ls /var/www/html

With a series of 7 scripts, executed via an unprivileged webserver daemon (you're seeing the reverse shell I popped with it), I was able to completely compromise the server, copy sensitive information to TXT files, stored in the webserver directory and then crash the server, effectively DoS'ing it..

Bash >=4.3 are vulnerable to this thing and there are so many ways to weaponize it, I can't even begin to start. I just put together an attack that would be useful for my own purposes and show how effective it can be in capable hands. I'm sure that parties are working on weaponizing this thing via SK tools right now.

I don't care what the after-effects of any vendor patch are, you need to get out of this thing NOW. Non-windows machines are affected. It's a bit of a weird exposure because of how vital the things that *are* affected tend to be. It's an odd runway to land on, your Apple TV is probably affected... but not your desktop. Your firewall/appliance/website (if they're *ix based) likely are, but not your AD environment.

It's going to be tough to explain to the layman how powerful this tool is in the right hands and that right now, it's not as sleek and sexy as heartbleed but likely far more devastating.

 Heartbleed was shotgun accuracy in terms of gathering useful information and had to run for a bit to really farm good data.

This is a sniper shot and much of it can be hidden as legitimate website traffic, kept internal to a network or be used as a slash and burn tool.

Normally, if it doesn't affect a user's desktop or their phone, they don't care.. which makes our lives hell.

How to test if you're vulnerable:

env x='() { :;}; shellshock' bash -c "echo THIS SERVER IS VULNERABLE."

If that echoes back, you're vulnerable.

No comments:

Post a Comment