Shell Shock: Major Bash vulnerability disclosed. May affect a large number of websites and web apps.

binbash.sh-600x600A major vulnerability in the Bash shell has been disclosed today.

This vulnerability may impact many WordPress themes and plugins and other publishing platforms, web applications and web server platforms. Any shell execution or shell function that is performed by a web application, including the storage of request data in environment variables, may present an attack vector that allows the execution of arbitrary code.

In plain english, that means that systems that have not updated their version of ‘bash’ and who provide web hosting in any form, whether it’s WordPress hosting or another platform like Joomla, may allow remote attackers to upload files, execute arbitrary commands, exfiltrate data, send spam email and more.

This vulnerability was announced today and the infosec community has not had time to research the impact this has on individual products, but popular opinion indicates that this may be a one of the most significant vulnerabilities reported this year. You will likely start hearing about it in mainstream press as the week progresses. [Edit: As the day progresses it sounds like the moniker ‘shell shock’ may be catching on to describe the issue]

What to do:

If you are the administrator of a Linux server, update your version of ‘bash’ to a patched version immediately. I have verified that an update for Ubuntu has already been released. If you are running Ubuntu, executing ‘apt-get update’ and then ‘apt-get upgrade’ without quotes should fix the issue for you.

How to verify you have the vulnerability on your server:

Run each line after the dollar. Courtesy of Hacker News. If you see the word “vulnerable” you’re vulnerable.

  1. hobbes@metal:~$ export badvar='() { :;}; echo vulnerable’
  2. hobbes@metal:~$ bash -c “echo I am an innocent sub process in ‘$BASH_VERSION'”
  3. vulnerable
  4. I am an innocent sub process in 4.3.22(1)-release

How this works:

What we’re doing above is definiting an environment variable called ‘badvar’. Inside badvar we’re defining an anonymous function that does nothing. After the semicolon is some code that should be ignored or cause an error.

Because of a weird quirk in bash, when bash creates a subprocess, the trailing code after the anonymous function in the variable we define is executed.

Why it matters:

Because what this means is that if you can put an anonymous function followed by code you want to execute in an environment variable and then have bash create a subprocess, you have managed to successfully exploit a machine.

The current Web and many web applications rely heavily on environment variables to get things done. Whether or not web applications even rely on environment variables to access data, we servers store data in those environment variables in many (possibly most) web execution environments.

Many web applications also spawn bash subprocesses, often without even realizing it. Those subprocesses read all current environment variables and will execute malicious code following a function definition in the vulnerable version of Bash.

So this creates a huge number of potential attack vectors on systems that use the Bash shell that haven’t been updated.

Comments:

Please post your own comments and additions below and spread the word. Thanks. ~Mark Maunder.

More info:

Update #1: To give you an idea of why Wordfence is taking this issue so seriously, here’s a scanner someone came up with a couple of hours ago that simply puts a bash function definition followed by a ping command in headers that are often stored in environment variables by a web server. They don’t even do anything to encourage a bash subprocess to be spawned, and they’re finding large numbers of websites are vulnerable.

Did you enjoy this post? Share it!

Comments

17 Comments
  • Thanks guys, we just updated our hosting cluster and we were in fact vulnerable. Great job as always!

  • I've heard this called "shellshock" on a couple other websites.

    • Yes, first place I heard it was on Robert's website which has the ping scan demo:

      http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html#.VCNntCtdV2M

      And then The Register soon after.

    • RedHat has issued a patch as well that is available through "yum".

      That's:

      yum update bash

      For those looking for specifics.

  • Thanks guys.
    i have verified also that an update for Debian has already been released.

    i upgraded the Bash and fixed the issue.

    many thanks

    • Hi niX,

      Can you please tell me the exact command s you used, cause I tried to upgraded but I still get vulnerable.

      Thanks!

      • Make sure you update your package list first: sudo apt-get update.

        I've been using sudo apt-get install --only-upgrade bash to update bash and it seems to work okay.

        • Thanks Jeff!

          Worked liked a charm!

          I had to use the answer in the post as well (http://serverfault.com/questions/631381/can-not-update-bash-on-debian-squeeze), cause I'm still running on squeeze.

  • Your bash code is not copy-pastable, because wordpress uses different " ' ´

    This can be copy/pasted:

    export badvar='() { :;}; echo vulnerable'
    bash -c "echo I am an innocent sub process in '$BASH_VERSION'"

  • Thanks guys for sharing this important information.

  • Weird, I just launched an apt-get upgrade on my debian jessie and the vulnerability is still there...
    And apparently, no fix for squeeze for the moment :-/

    • Yes, I have an older Ubuntu that didn't have a released fix yet.

      But it looks like the fix released earlier today is not a complete fix:

      http://seclists.org/oss-sec/2014/q3/685

  • I'll let my ISP update the operating system on the host of my web site, but thanks for reminding me to do the security updates on my own linux virtual machine on my PC. Bash is one of the updates that were available on Ubuntu.

  • The code is not copy/paste-able because it was probably written in word with smartquotes not disabled. lol. I guess Wordpress doesn't recognize smartquotes and convert them to basic automatically? You learn something new every day. The only punctuation you have to change is the " and ' the semi-colons and colons are ok.