Friday, September 26, 2014

Shellshock : How to tell if System is Compromised and How to Fix it

Shellshock is the new bug doing rounds and security experts are considering it to be of the same proportion as Heartbleed. Is that the case?

Shellshock in simple terms is a shock that can be passed through Shell. A shell is a utility that helps to interact with the Systems. The particular shell that this bug targets is bash shell. 

If you are a windows user, you are not at all at risk, for a change. As more and more applications are moving to web and they are mostly hosted on Linux environment, we might see this as more and more of a rule and not as an exception. But if you are a Linux or Apple user than you are at risk. A
shell is similar to a command prompt of Windows.

So how this bug works. The bug works by allowing a hacker to run commands beyond what is allowed.It's a difficult bug to exploit as the user has to send commands via HTTP request and those request should be invoking bash shell. 

A simple example of exploit is when an application exposed an input box where commands can be put and the commands are fired by bash shell on the server. 

The other area to look for is if you have cgi or php scripts or some other application running on your server which are invoking commands on bash shell.

Compared to Heartbleed it's a very hard bug to exploit but the impact is very high as system commands can be run which can result in even deleting data. 

How to tell if my Linux System is compromised?

Check the bash version of your system by running the following command

bash -version

I see the following

GNU bash, version 4.3.8(1)-release (x86_64-pc-linux-gnu)

Now Check at National Vulnerability database.  This link tells which versions of bash are affected. So looking at list I see that my bash version is affected.

To confirm further, run the following command

env shock='() { :;}; echo Shellshock' bash -c 'echo Hello'

You will see following returned back


If you see the above than your bash shell is vulnerable. env is a command which runs a program in a modified environment.

Now evaluate if through any application that is running on this machine as a server program, can someone pass commands to bash shell

How to Fix the vulnerability

Check your distribution of Linux  and see if they have supplied the patch. You can update your operating system using the update utilities. For example in Ubuntu you can follow the following commands

sudo apt-get update

and then
sudo apt-get install

Now if you run the following command again 

env shock='() { :;}; echo Shellshock' bash -c 'echo Hello'

and it the vulnerability is fixed than you should see the following

bash: warning: shock: ignoring function definition attempt
bash: error importing function definition for `shock'

If you see above you are good, otherwise check your distribution to see if the hole has been patched.

No comments:

Post a Comment