Patching the bash vulnerability affecting web servers and many other services

A critical vulnerability, CVE-2014-6271 (aka Shell Shock), was found in bash september 24 by Stephane Chazelas. This issue would allow an attacker to execute arbitrary code on a system if he was able to set the value of a bash environment variable. This can also be done remotely.

The information at this time is quite limited so we wanted to try explain what’s going on and how to patch it.

How it works

A lot of applications are passing environment variables over to Bash, which is a [Unix Shell]. The problem with the variables is that they can also include shell functions. What the vulnerability actually exposed is that information after the function definition are actually parsed and executed.

The exploit mentioned looks like this:

x='() { :;}; echo; /usr/bin/id' bash

To break it down:

() { :;};

is the actual function definition, in this example the function is empty: { :;}; Note that all this information is inside single quotes, it’s actually escaped. However, using the () in the beginning of a string in Bash, it’ll handle it as a function definition.

The information after the function definition is what matters, and here’s where the problem is. Bash will continue to parse and execute the data after the definition, which in our example will run the /usr/bin/id.

The bash-call in the end will use the function definition and execute the data after the function, which in our example will show you the information about the current user:

uid=0(root) gid=0(root) groups=0(root)

Remote exploitation

The problem with this is that you can exploit this remotely. One example, which is also explained in the CVE, is CGI-scripts. CGI will pass data to Bash using environment variables. Examples of these variables are the Host, User-Agent and Accept headers.

This means that the following curl-command to a server running a vulnerable CGI-script will show you the user of the vulnerable web-server:

curl -H 'User-Agent: () { :;}; echo; /usr/bin/id' http://example.com/

At the time of this post, there’s currently no valid PoC to abuse FastCGI (Currently, POCs for CGI are in the wild) which is often used for PHP instances with nginx, Apache and lighttpd, but there will certainly be more exploit vectors than the ones exposed now.

Patch your server

Since this issue is with bash, that is the only thing you have to update. How you do that varies depending on distribution but here are examples for a few:

Ubuntu, debian

apt-get update
apt-get install --only-upgrade bash

Redhat, Centos, Amazon Linux

yum update bash

Verify patch

You can see if you’re vulnerable by running the following command:

export VULNCHECK='() { :; }; echo You are still vulnerable'; bash

In a vulnerable environment, it’ll say:

“You are still vulnerable”

In a patched environment, it’ll say:

bash: warning: VULNCHECK: ignoring function definition attempt
bash: error importing function definition for `VULNCHECK

We have added a first version this attack vector to the Detectify scanner, which will probe your web server for this issue.

Read more

• http://https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
• http://https://access.redhat.com/articles/1200223
• http://seclists.org/oss-sec/2014/q3/650