I've been monitoring my Apache logs all day for the string "() {". So far Robert Graham's scan is the only match. This is what the log entry looks like:
Someone not wanting to stick out might only probe headers that are less-often logged, but still possibly passed-along as environment variables. Has anyone logged 'HTTP_FROM' in a long while?
The shellshock scan is setting the Host header, which might set the SERVER_NAME CGI variable in some environments and is not included in the Common Log Format or widely used Combined Log Format (which adds the Referer and User-Agent). For example, Apache's httpd directive UseCanonicalName is set to "off" by default, allowing the client to set SERVER_NAME via the Host header, possibly passing it to vulnerable scripts.
Furthermore, an admin might use directives to log the requested host in a name-based virtual hosting environment to facilitate parsing. For example, when using Apache's httpd LogFormat/CustomLog directives, if "%V" is used as the format string and UseCanonicalName is set to "off", the string provided by the client in the Host header will be written to the log. Naive parsers might choke on this or even execute the code. If the shellshock scan results in a delayed surge of pings from a single host, this is likely to be the cause.
Apache actually passes along any HTTP header, even undefined ones, as CGI environment variables (of the form $HTTP_HEADERNAME) so an attacker could just make up a header and it would be very unlikely to be logged.
Any suggestions on how to best check if they succeeded? I think I'm safe as I upgraded Ubuntu Bash right after the announcement, and run Nginx+Uwsgi instead of Apache with CGI enabled. But Nginx might set some environment variables somewhere as well.
if their httpd.conf has incorrect privs set, you could run a script that changes the "user to run as" to root, then set up a script that would run on next reboot to apt-get upgrade and remove the root privs config line. you'd have to wait for the server to go down or reboot however long in the future, but hey it would work.
Your CGI application does not need to be written in bash for you to be vulnerable. If at any point your non-bash CGI program (and this includes PHP, even with mod_php, since it sets the same environment variables), or one of its descendant processes, executes a bash script, you can be exploited.
This is especially bad on systems where /bin/sh is /bin/bash, since /bin/sh gets invoked implicitly by system(3). So you could have a non-bash CGI program invoking a non-bash program using system(3) and you can be exploited.
You're right; thanks! I saw the HTTP_* variables in phpinfo() and assumed they'd be passed on to children through system(), but they actually aren't. In fact the only environment variables passed through look pretty innocuous.
I didn't say it required it. I simply pointed out (albeit sarcastically) that CGI scripts do get written in bash, and people often often make use of sudo within them. I've seen such a beast in production at multiple companies.
The amusing up/down vote war I am watching on my karma gives me hope that at least 50% of HN got it...
The DHCP attack vector is the one that is scariest to me. We know that dhclient on Linux is vulnerable, but the number of unpatched Linux machines on a public wifi network will likely be too small to be worthwhile to try to capture. Macs on the other hand are prevalent in places like coffee shops, and Apple is notoriously slow to patch security vulnerabilities in their operating systems. Has anyone done much analysis on OS X's vulnerability to this bug?
>Update: Someone is using masscan to deliver malware. They'll likely have compromised most of the system I've found by tomorrow morning. If they using different URLs and fix the Host field, they'll get tons more.
To be vulnerable to this I need to be running CGI scripts right? I have my system set up with reverse nginx proxies and haproxy TCP mode pass through to things like nginx static files and Node.js servers. Can he run his ping command on my servers? I am thinking not.
No, CGI is just the most obvious use of user-controlled environment variables. Other systems may also set environment variables to user-controlled strings for whatever reason. If such a system ever invokes bash, even indirectly or implicitly, with user-controlled environment variables set, that system is vulnerable.
Example non-CGI vulnerable systems from RedHat: CUPS, dhclient.
Can someone from the internet use this type of attack through CUPS or dhclient then? I was asking about external attacks, not users that are already on the system.
dhclient: sort of. If you connect to a malicious access point, or someone runs a rogue DHCP server on a network you trust, they could potentially attack dhclient.
CUPS: If you are exposing a CUPS server to the Internet to allow remote printing.
OK so are those the only ones you know of? I am going to patch but just wondering about this category of attack in a more general sense so want to make sure I understand the scope of this particular one.
So say I have a server that is running a VPN (tinc). Then another system is connected to that same VPN network. Are you saying that by running a DHCP server on the second system, my server could be compromised?
It's impossible to enumerate all evil. There's no way of knowing what else is vulnerable until it's demonstrated to be vulnerable. I've commented elsewhere, though, describing what types of function calls and programs are likely to be vulnerable.