shell shock (bash bug)
TRANSCRIPT
![Page 1: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/1.jpg)
By Mahesh
![Page 2: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/2.jpg)
Shell Shock is…
• Shellshock, also known as Bashdoor, is a family of security
bugs in the widely used UNIX Bash shell.
• The first of which was disclosed on 24 September 2014.
• An attacker could exploit a machine running Bash by forcing it
to set specially crafted environment variables. This could then
be further exploited to let them execute shell commands, i.e.,
run programs on other people’s computers.
![Page 3: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/3.jpg)
Who discovered
• Stephane Chazelas (Scientist) discovered a vulnerability in bash on 24 Sep 2014 16:05:51(07:30PM IST), Wednesday midnight in Australia.
• Within hours, hackers had released code that could take over vulnerable machines and turn them into a malicious botnet.
• Bash is free software, developed collaboratively and overseen since 1992 on a volunteer basis by Chet Ramey and believes that Shellshock dates back to a new feature.
Hacker scientist
OR
![Page 4: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/4.jpg)
Implementing
Issuing remote commands to the web server-------------------------------------
(){-------------------------------------
Example: VAR=() { ignored; }; /bin/id
![Page 5: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/5.jpg)
Related vulnerabilities
CVE-2014-6271—Shell Shock
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
Major exploitation Vectors
CGI-web based server
OpenSSH Server
DHCP
Qmail server
IBM HMC restricted shell
![Page 6: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/6.jpg)
Which systems gets affected
• Stand-alone Web servers
• Unix and Mac OS X systems
• Internet-connected devices
• Smart phones that use the Android operating system
• Every version of CentOS that was released before 31 September 2014 was impacted
![Page 7: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/7.jpg)
How to test and protect our devices
Test:
Run the following command on Terminal
env x='() { :;}; echo vulnerable' bash -c "echo this is a test“
If you’re vulnerable it will print
vulnerablethis is a test
Otherwise it prints only
This is test
Protect:
Initial solutions for Shellshock do not completely resolve the vulnerability.
Upgrade to the latest versions of bash
AcceptEnv line from the default configuration file
![Page 8: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/8.jpg)
Heartbleed:
Heartbleed could be used to do things like steal passwords from a server
Heartbleed went unnoticed for two years and affected an estimated 500,000 machines
It requires more technical knowledge
Worse than Heartbleed
Shellshock:
Shellshock can be used to take over the entire machine
Shellshock was not discovered for 22 years and sky is the limit on attacks with Shellshock
it's so easy to exploit
According to NVD both bugs severity is 10 /10
![Page 9: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/9.jpg)
References
http://www.wired.com/2014/09/shellshocked-bash/
http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
https://shellshocker.net/
http://readwrite.com/2014/10/02/shellshock-bash-bug-faq-explainer
http://www.engadget.com/2014/09/25/what-is-the-shellshock/
http://www.zdnet.com/the-shellshock-faq-heres-what-you-need-to-know-7000034219/
More….
![Page 10: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/10.jpg)
Thank you….
![Page 11: Shell Shock (Bash Bug)](https://reader038.vdocument.in/reader038/viewer/2022100508/55a203411a28ab47268b47cf/html5/thumbnails/11.jpg)
Any queries….