Threat Intelligence Blog

Posted September 25, 2014

By Robert Simmons, Cyveillance Security Manager and Sr. Technologist

A number of security experts believe the new Bash bug–dubbed “Bourne” or “Shellshock”– hitting the news today is the new Heartbleed. This may prove true as it relates to the danger to websites and systems that are running a vulnerable version of Bash, as left unfixed, this bug will allow attackers to run arbitrary code on the server. However, the bug must be coupled with another system that uses Bash scripting. As of now, any website that uses mod_cgi is in the most danger. A working proof of concept exploit of this type of website is already available. The following one-liner will show you that a site is vulnerable:
curl -k -H 'User-Agent: () { :;}; /bin/ping -c1  XXX.XXX.XXX.XXX' http://127.0.0.1/cgi-bin/hi

The xxx.xxx.xxx.xxx should be replaced with the IP address of the workstation or server that you’re running this on. The URL needs to be changed to match the site that is being tested for the vulnerability. The “hi” is a cgi application on the site. The above command will run the program Ping on the vulnerable server, and you will be able to catch that ping packet if you’re capturing network traffic using a tool such as wireshark or tcpdump.

According to most researchers at this time, in addition to websites that use cgi (except for PHP sites that use mod_php, which does not expose the vulnerability) DHCP is vulnerable. This is not a service that should be exposed to the Internet, so it’s basically only a danger if there is already an attacker on your LAN.

A local test that you can run to see if your version of Bash is affected is the following:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If Bash is vulnerable you will see the following output:
vulnerable
hello

If it’s not vulnerable you will see the following:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for x'
hello

A script for the Bro intrusion detection system is already available here: hxxps://github.com/CriticalStack/bro-scripts/tree/master/bash-cve-2014-6271

The best way to proceed with this bug is to patch all affected systems immediately.


 

ff

Hot on the heels of the Bash news, Mozilla just disclosed a vulnerability in Firefox’s NSS system. This is the part of Firefox that provides SSL capabilities to the browser. The vulnerability affects all versions of Firefox, and can allow forged RSA certificates to be found as valid by the browser. A forged certificate would allow a phishing site to present what seems to be a legitimate SSL-protected website. This would increase the likelihood of someone unwittingly entering their credentials into the phishing page.

Because Chrome also uses the NSS system to provide SSL, Chrome browsers before version 37.0.2062.124 are similarly affected.

The original vulnerability alert from Mozilla can be found here, and the equivalent alert from Google about Chrome is here.

Cyveillance Security Labs focuses on malware and sophisticated technical threat actors, including their tactics, techniques and procedures (TTPs). Learn more here.

Additional Posts

What Can Open Source Intelligence Tell You about a Threat Actor in 30 Minutes or Less?

All of us who work in the risk, security, or compliance space would love a crystal ball to predict ...

New Voicemail From Romania

By Robert Simmons, Cyveillance Security Manager and Sr. Technologist There's a new variant on the ...