Concern over Bash vulnerability grows as exploit reported “in the wild”
The vulnerability reported in the GNU Bourne Again Shell (Bash) yesterday, dubbed “Shellshock,” may already have been exploited in the wild to take over Web servers as part of a botnet. More security experts are now weighing in on the severity of the bug, expressing fears that it could be used for an Internet “worm” to exploit large numbers of public Web servers. And the initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry.
In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable “just on port 80″—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion webpages that at least partially fit the profile for the Shellshock exploit.
“It‘s things like CGI scripts that are vulnerable, deep within a website (like CPanel’s /cgi-sys/defaultwebpage.cgi),” Graham wrote. CPanel is a Web server control panel system used by many Web hosting providers. “Getting just the root page is the thing least likely to be vulnerable. Spidering the site and testing well-known CGI scripts (like the CPanel one) would give a lot more results—at least 10x.”
In addition, Graham said, “this thing is clearly wormable and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would be ‘game over’ for large networks.”
The big problem, as Securosis analyst and CEO Rich Mogull noted, is that “Bash is embedded and accessed in so many ways that we cannot fully understand its depth of use. Many systems you would never think of as having a command line use bash to run other programs. I have used it myself, a bunch, in programs I have written—and I barely code. We cannot possibly understand all the ways an attacker could interact with Bash to exploit this vulnerability.”
Apparently, the vulnerability is already being used maliciously. A GitHub “gist” post by a system administrator who uses the Twitter handle @yinettesys reported finding an exploit that used the Shellshock vulnerability to launch a kernel exploit with a connection to a Command and Control (CnC) server hidden behind Cloudflare’s content delivery network. The attack uses a Web GET request from a user agent called “.Thanks-Rob”—possibly a hat tip to Graham.
The binary delivered by the attack includes a number of text strings that appear to be a dictionary of username and password guesses, and it’s similar to other malware used in the telnet brute-force attacks earlier this year. The malware delivered by the attack is a file named nginx written to the targeted server’s /tmp directory in a subdirectory called “besh.” The filename is an attempt to disguise it as the popular Web server software in process lists. The only communications sent from the malware to the CnC server are the text “PING”—which returns the response “PONG.”
Oddly, according to one Hacker News poster who ran the binary of the malware on a virtual machine, the malware also sends a request to a Pastebin page (now removed) that was associated with an alleged leak of nude photos of actress Emma Watson.