Thursday, September 25, 2014

Bash Vulnerability Shellshock

It was still office hours when I just got information about the bash vulnerability.
It was quite interesting to see this year that , the things which we believed to be the the safest one are gradually falling out.

There was a SSH heartbleed first and then the Bash Vulnerability now.
I was interested in this one particular, because it involves shell stuff.

The way to test this vulnerability is just execute

------
env x='() { :;}; echo vulnerable' bash -c "echo hhaha"
------
When i saw this piece of command for first time, it was mind boggling.
So lets check it piece by piece.

env : This command in bash is used for environment related operations.
Reference :
https://www.gnu.org/software/coreutils/manual/html_node/env-invocation.html

Basically we can set up exact copy of current working environment and execute another program in separately without affecting working environment.

If you want to add some new variables in the new environment, it can be done by setting it with 'env'

env x="test"

Executing this command will copy the existing environment variables and add new variable x into it.
Also it returns the list of variables.

I think the attacker uses some kind of parsing trick of bash, wherein the attack command is set as an environment variable.

env x='() { :;}; echo vulnerable;'
>> this sets the environment variable x as 
-----
_=/usr/bin/env
x=() { :;}; echo vulnerable;
-----

So now the bash part,
Once you have your crafted environment variable ready, you just need to open up new bash shell where these are set. With this, the command embedded in the variable gets executed.
-----
$ env x='() { :;}; echo vulnerable;' bash -c "echo haha" 
vulnerable
haha
-----

One more thing which i tried was to replace this echo command with the env command itself to check the variables status at that point.
But to my surprise, I got memory error.

------
$ env x='() { :;}; env;' bash -c "echo haha" 
>> Segmentation fault: 11
------

Check
tail /var/log/system.log
or crashLog 


I will update this page as when I find any interesting thing, 
So please keep in touch.