The attacks of the Shellshock bug are so complicated that even the best malware researchers find it difficult to figure it out. The PC users are asking themselves how serious these attacks are and if they are vulnerable. The Security Research Engineer of FireEye Inc., Michael Lin, has summarized the information known about the Shellshock bug and what the user should do if affected. FireEye Inc., company is providing research and security products, designed to protect the government and the enterprise networks against threats.
The Nature of Shellshock
Shellshock is the nickname of the Bash bug, where Bash is deciphered as Bourne Again Shell. The bug enters the command line interpreter, also known as ‘the shell’. May operating systems, among which many flavors of Linux, UNIX, OSX of Apple and BSD use the Bash shell as their default command-line interpreter.
The experts confirm that the Bash shell is available in other system as well including Windows and Android, however it is not installed on these systems and not used by default there.
After the launching of the first Shellshock bug, namely CVE-2014-6271, other similar Bash bugs were spotted by different researchers. Compared to them, CVE-2014-6271 remains the most significant Shellshock bug and all the references below refer to it, except it is stated otherwise in the specific case.
Who can be affected by the Shellshock bug?
The malware experts say that all Bash users are vulnerable to the Shellshock bug. They further state that only the Bash users that are connected to Internet are the ones who are open to remote exploitation. In addition, specific software is required in order to guarantee the attacker access to the Bash.
The most vulnerable of all and the ones that are expected to be targeted most are the system running Internet servers. Further exposed to the bug are the home PC users that have Bash, in case that they use networks that are not trusted like public wireless internet spots, for example.
The malware analysts say that the average Internet users are not vulnerable, if running of Windows, Android, iOS or Mac OS. In case, however, there are on compromised Internet servers, these users are exposed to other attacks.
Where is Shellshock bug located?
The Shellshock bug is positioned in the parsing code of Bash. The experts had spotted an error in how Bash parses the variables at its initialization sequence. They state that everything which can manipulate the variables in the environment bears the potential to be that vulnerability vector.
How does Shellshock bug make users vulnerable?
The malicious nature of the Bash bug hides in the fact that it allows the cybercriminal to make the same commands as the real user. In other words, the Bush bug allows the attacker to do on the computer almost everything that the user can. Further, the attacker who has remote vector access can inject the Bash commands on the system from a distance and without need of authentication.
In the beginning, the attacker is has limited access to run the Bash, but once in the system, the attacker can get various privileges and in the end gain root access.
Which are the targets of the Shellshock bug?
The Shellshock bug is attacking the HTTP Servers, the DHCP clients, the SSC systems, the Common UNIX Printing Systems, and the browser plug-ins.
The Shellshock bug is mainly attacking the HTTP web servers. Those servers that run on FastCGI or CGI are capable to expose Bash to the request vector of HTTP. The malicious HTTP requests allow the cyber criminals to embed commands on the server and the Bash can follow them.
The Bash could be then called immediately by the Bash script or through a system command. In case the Bash is started within that CGI request of malicious nature, then the system becomes vulnerable.
At the same time, the Perl, PHP, and Python scripts which are not called through the above mentioned systems of CGI/FastCGI most probably will not be affected.
The Internet Systems Consortium DHCP clients are also target of the Shellshock bug. This is valid for the UNIX and the Linux system, but is not affecting the OSX system.
The vector is activated when the attacked user connects to a DHCP server that has malicious nature. The affected DHCP client will use the DHCP server variables and will save them as variables of the environment. In this way the DHCP will configure the network interfaces through Bash. This is possible to occur when the user makes a connection to a rogue DHCP server or a Wi-Fi point that is public.
During the attack, the cybercriminal can also use the CGI vector in order to compromise the DHCP service on a server that is legitimate.
Most of the SSH systems are configured in such a way as to restrict the commands that the user can apply. The attackers use the Bash bug here in order to go beyond the restrictions applied. This however requires authentication and that is why this vector offers privilege escalation.
The systems that use SSH, including rsync, git, rlogin, subversion, and others can also be affected.
Common Unix Printing System (CUPS)
A printer server, the Common UNIX Printing System is available in many UNIX, BSD and Linux systems. It works with variables that are controlled by the user and based on them are set the environment variables when processing filters. It can act as a vector for the vulnerability, in case if Bash is initialized by the Common UNIX Printing System during this process.
Currently, this vector is theoretical.
Plug-ins by third parties may also exist, which will set the environment variables through values controlled by the users. This may result in a vector too, however this is still on theory only.