Monday, October 13, 2014

ShellShock Attack Vectors

Shellshock attack is popular, and wormable too. However, it requires an attack vector for it to works. Here're some of the common attack vectors for shellshock to work:

  • (Apache/etc) httpd - If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.
  • (Secure Shell) ssh -  It can be used to execute any command, via ssh, scp, git, rsync, etc.
  • dhclient - The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
  • CUPS - It is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed.
  • sudo - It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code.
  • Firefox - No detail about it as of now.
  • Postfix - While the Postfix server does call Bash in a variety of ways, the Postfix server will replace various characters with a ?, and may allow an arbitrary environment variable be set by the server. It is however possible that a filter could set environment variables.