[安全]Bash 'shellshock' bug is wormable

2014年9月27日星期六 | | |

Early results from my scan: there's about 3000 systems vulnerable just on port 80, just on the root "/" URL, without Host field. That doesn't sound like a lot, but that's not where the bug lives. Update: oops, my scan broke early in the process and stopped capturing the responses -- it's probably a lot more responses that than.

Firstly, only about 1 in 50 webservers respond correctly without the proper Host field. Scanning with the correct domain names would lead to a lot more results -- about 50 times more.

Secondly, it's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi). Getting just the root page is the thing least likely to be vulnerable. Spidering the site, and testing well-known CGI scripts (like the CPanel one) would give a lot more results, at least 10x.

Thirdly, it's embedded webserves on odd ports that are the real danger. Scanning for more ports would give a couple times more results.

Fourthly, it's not just web, but other services that are vulnerable, such as the DHCP service reported in the initial advisory.

Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable -- once the worm gets behind a firewall and runs a hostile DHCP server, that would "game over" for large networks.



Update: As many people point out, the path variable isn't set, so I need '/usr/ping' instead to get even more results.

Update: Someone is using masscan to deliver malware. They'll likely have compromised most of the system I've found by tomorrow morning. If they using different URLs and fix the Host field, they'll get tons more.


Brandon Potter2:12 AM

I put together a vulnerability checker, but depends on wget or curl being available.

Embeds wget and curl calls into the User-Agent, Cookie, and Referer headers, and if the test tool hears back from the called server, the vulnerability is confirmed.

http://shellshock.brandonpotter.com


Matt DeLong5:03 PM

Try this:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

You will see one of 2 result:

1) You are VULNERABLE IF YOU SEE THIS RESULT
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

2) You are NOT VULNERABLE IF YOU SEE THIS RESULT
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test


From:

http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271



Test Specific Script:

http://shellshock.brandonpotter.com/
http://bashsmash.ccsir.org/

命令: bash --version

0 评论:


所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作![email protected]