Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Shell Shock: Major Bash vulnerability disclosed. May affect a large number of websites and web apps.

This entry was posted in General Security on September 24, 2014 by Mark Maunder   17 Replies

binbash.sh-600x600A major vulnerability in the Bash shell has been disclosed today.

This vulnerability may impact many WordPress themes and plugins and other publishing platforms, web applications and web server platforms. Any shell execution or shell function that is performed by a web application, including the storage of request data in environment variables, may present an attack vector that allows the execution of arbitrary code.

In plain english, that means that systems that have not updated their version of ‘bash’ and who provide web hosting in any form, whether it’s WordPress hosting or another platform like Joomla, may allow remote attackers to upload files, execute arbitrary commands, exfiltrate data, send spam email and more.

This vulnerability was announced today and the infosec community has not had time to research the impact this has on individual products, but popular opinion indicates that this may be a one of the most significant vulnerabilities reported this year. You will likely start hearing about it in mainstream press as the week progresses. [Edit: As the day progresses it sounds like the moniker ‘shell shock’ may be catching on to describe the issue]

What to do:

If you are the administrator of a Linux server, update your version of ‘bash’ to a patched version immediately. I have verified that an update for Ubuntu has already been released. If you are running Ubuntu, executing ‘apt-get update’ and then ‘apt-get upgrade’ without quotes should fix the issue for you.

How to verify you have the vulnerability on your server:

Run each line after the dollar. Courtesy of Hacker News. If you see the word “vulnerable” you’re vulnerable.

  1. hobbes@metal:~$ export badvar='() { :;}; echo vulnerable’
  2. hobbes@metal:~$ bash -c “echo I am an innocent sub process in ‘$BASH_VERSION'”
  3. vulnerable
  4. I am an innocent sub process in 4.3.22(1)-release

How this works:

What we’re doing above is definiting an environment variable called ‘badvar’. Inside badvar we’re defining an anonymous function that does nothing. After the semicolon is some code that should be ignored or cause an error.

Because of a weird quirk in bash, when bash creates a subprocess, the trailing code after the anonymous function in the variable we define is executed.

Why it matters:

Because what this means is that if you can put an anonymous function followed by code you want to execute in an environment variable and then have bash create a subprocess, you have managed to successfully exploit a machine.

The current Web and many web applications rely heavily on environment variables to get things done. Whether or not web applications even rely on environment variables to access data, we servers store data in those environment variables in many (possibly most) web execution environments.

Many web applications also spawn bash subprocesses, often without even realizing it. Those subprocesses read all current environment variables and will execute malicious code following a function definition in the vulnerable version of Bash.

So this creates a huge number of potential attack vectors on systems that use the Bash shell that haven’t been updated.

Comments:

Please post your own comments and additions below and spread the word. Thanks. ~Mark Maunder.

More info:

Update #1: To give you an idea of why Wordfence is taking this issue so seriously, here’s a scanner someone came up with a couple of hours ago that simply puts a bash function definition followed by a ping command in headers that are often stored in environment variables by a web server. They don’t even do anything to encourage a bash subprocess to be spawned, and they’re finding large numbers of websites are vulnerable.

Did you enjoy this post? Share it!


Your rating:

17 Comments on "Shell Shock: Major Bash vulnerability disclosed. May affect a large number of websites and web apps."

James K. September 24, 2014 at 8:37 pm • Reply

Thanks guys, we just updated our hosting cluster and we were in fact vulnerable. Great job as always!

iggyvolz September 24, 2014 at 9:14 pm • Reply

I've heard this called "shellshock" on a couple other websites.

mark September 24, 2014 at 9:15 pm • Reply

Yes, first place I heard it was on Robert's website which has the ping scan demo:

http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html#.VCNntCtdV2M

And then The Register soon after.

Mike Wyant September 25, 2014 at 5:40 pm • Reply

RedHat has issued a patch as well that is available through "yum".

That's:

yum update bash

For those looking for specifics.

niX September 24, 2014 at 10:11 pm • Reply

Thanks guys.
i have verified also that an update for Debian has already been released.

i upgraded the Bash and fixed the issue.

many thanks

GeeKay September 25, 2014 at 4:50 am • Reply

Hi niX,

Can you please tell me the exact command s you used, cause I tried to upgraded but I still get vulnerable.

Thanks!

Jeff September 25, 2014 at 9:54 am • Reply

Make sure you update your package list first: sudo apt-get update.

I've been using sudo apt-get install --only-upgrade bash to update bash and it seems to work okay.

GeeKay September 26, 2014 at 9:08 am • Reply

Thanks Jeff!

Worked liked a charm!

I had to use the answer in the post as well (http://serverfault.com/questions/631381/can-not-update-bash-on-debian-squeeze), cause I'm still running on squeeze.

Daniel September 24, 2014 at 11:39 pm • Reply

Your bash code is not copy-pastable, because wordpress uses different " ' ´

This can be copy/pasted:

export badvar='() { :;}; echo vulnerable'
bash -c "echo I am an innocent sub process in '$BASH_VERSION'"

Hussam September 25, 2014 at 12:09 am • Reply

Thanks guys for sharing this important information.

darx September 25, 2014 at 3:27 am • Reply

Weird, I just launched an apt-get upgrade on my debian jessie and the vulnerability is still there...
And apparently, no fix for squeeze for the moment :-/

mark September 25, 2014 at 3:43 am • Reply

Yes, I have an older Ubuntu that didn't have a released fix yet.

But it looks like the fix released earlier today is not a complete fix:

http://seclists.org/oss-sec/2014/q3/685

Steve13565 September 25, 2014 at 12:45 pm • Reply

I'll let my ISP update the operating system on the host of my web site, but thanks for reminding me to do the security updates on my own linux virtual machine on my PC. Bash is one of the updates that were available on Ubuntu.

richard September 25, 2014 at 2:02 pm • Reply

The code is not copy/paste-able because it was probably written in word with smartquotes not disabled. lol. I guess Wordpress doesn't recognize smartquotes and convert them to basic automatically? You learn something new every day. The only punctuation you have to change is the " and ' the semi-colons and colons are ok.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.