By Mahesh

Shell Shock is…

• Shellshock, also known as Bashdoor, is a family of security

bugs in the widely used UNIX Bash shell.

• The first of which was disclosed on 24 September 2014.

• An attacker could exploit a machine running Bash by forcing it

to set specially crafted environment variables. This could then

be further exploited to let them execute shell commands, i.e.,

run programs on other people’s computers.

Who discovered

• Stephane Chazelas (Scientist) discovered a vulnerability in bash on 24 Sep 2014 16:05:51(07:30PM IST), Wednesday midnight in Australia.

• Within hours, hackers had released code that could take over vulnerable machines and turn them into a malicious botnet.

• Bash is free software, developed collaboratively and overseen since 1992 on a volunteer basis by Chet Ramey and believes that Shellshock dates back to a new feature.

Hacker scientist

OR

Implementing

Issuing remote commands to the web server-------------------------------------

(){-------------------------------------

Example: VAR=() { ignored; }; /bin/id

Related vulnerabilities

CVE-2014-6271—Shell Shock

CVE-2014-6277

CVE-2014-6278

CVE-2014-7169

CVE-2014-7186

CVE-2014-7187

Major exploitation Vectors

CGI-web based server

OpenSSH Server

DHCP

Qmail server

IBM HMC restricted shell

Which systems gets affected

• Stand-alone Web servers

• Unix and Mac OS X systems

• Internet-connected devices

• Smart phones that use the Android operating system

• Every version of CentOS that was released before 31 September 2014 was impacted

How to test and protect our devices

Test:

Run the following command on Terminal

env x='() { :;}; echo vulnerable' bash -c "echo this is a test“

If you’re vulnerable it will print

vulnerablethis is a test

Otherwise it prints only

This is test

Protect:

Initial solutions for Shellshock do not completely resolve the vulnerability.

Upgrade to the latest versions of bash

AcceptEnv line from the default configuration file

Heartbleed:

Heartbleed could be used to do things like steal passwords from a server

Heartbleed went unnoticed for two years and affected an estimated 500,000 machines

It requires more technical knowledge

Worse than Heartbleed

Shellshock:

Shellshock can be used to take over the entire machine

Shellshock was not discovered for 22 years and sky is the limit on attacks with Shellshock

it's so easy to exploit

According to NVD both bugs severity is 10 /10

References

http://www.wired.com/2014/09/shellshocked-bash/

http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

https://shellshocker.net/

http://readwrite.com/2014/10/02/shellshock-bash-bug-faq-explainer

http://www.engadget.com/2014/09/25/what-is-the-shellshock/

http://www.zdnet.com/the-shellshock-faq-heres-what-you-need-to-know-7000034219/

More….

Thank you….

Any queries….