Dienstag, 21. April 2015

Shellcode injection revisited

If you have followed this blog and read the other posts, you can see that the attacks which could do the most harm and are coming again and again are shellcode injections.

Good point to revisit this attack.


Shell code injection is based on a vulnerability within BASH. This shell variant is the widest used on all linux and unix based opationsystem, many of them ship them as default. Now, this bug exists for years and was never used, maybe cause nobody even now of its exsistens.

In September 2014 this bug was found and the legend of this vulnerability started

http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

Today, every version of the bash has a fix. Only problem is that many people out there are using quite old systems which will not receive security updates by default. Good news, and maybe many just do not know, within most linux operating systems you are able to replace the bash (ex. with zsh, tcsh or others) or you are able to use some ongoing "Long Term Support" repositories like debian just released for squeeze

https://wiki.debian.org/LTS/Using

Another idea would be to just compile your own version and install it from source

https://www.gnu.org/software/bash/

So, now this bug is more than half a year old, why do we still see this many attacks in the wild?

The answer is sad and easy at the same time.
This vulnerability is so easy to use!

env X='() { (a)=>\' bash -c "echo date"; cat echo
is all you need to exploit it. While you can replace the "echo date"; cat echo with simply every command you want to have, like wget or curl, chaning permissions, deleteing the harddisk.