Shellshock

boored · 2014-09-25, 14:40

Efter Heartbleed kommer: Shellshock , kan det vara gammelräven som blev ledsen på internet of things efter bannen?

Shit is real now. First in-wild attack to hit my sensors CVE-2014-6271
https://twitter.com/yinettesys/statu...12126268604416

The critical Shellshock flaw affects many Linux and Apple systems — here’s what you need to know
https://gigaom.com/2014/09/25/the-cr...-need-to-know/

Everything you need to know about the Shellshock Bash bug
http://www.troyhunt.com/2014/09/ever...now-about.html

Citat:

Experts are saying the flaw, which affects the bash shell used across many Unix-based systems including Mac OS X and variants of Linux, is more serious than the Heartbleed flaw earlier this year.

Why is this so serious?

Because of Bash’s ubiquity. The Bash shell has been around since 1989 and it’s the default shell not only in Mac OS X, but also in many flavors of Linux – which powers a lot of web-connected servers out there.

This potentially affects a lot of the connected devices that are out there – from routers to smart lightbulbs — as well as servers.

What are the potential ramifications?

The potential is enormous – “getting shell” on a box has always been a major win for an attacker because of the control it offers them over the target environment. Access to internal data, reconfiguration of environments, publication of their own malicious code etc. It’s almost limitless and it’s also readily automatable. There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines.

Unfortunately when it comes to arbitrary code execution in a shell on up to half the websites on the internet, the potential is pretty broad. One of the obvious (and particularly nasty) ones is dumping internal files for public retrieval. Password files and configuration files with credentials are the obvious ones, but could conceivably extend to any other files on the system.

Likewise, the same approach could be applied to write files to the system. This is potentially the easiest website defacement vector we’ve ever seen, not to mention a very easy way of distributing malware

Or how about this: one word I keep seeing a lot is “worm”:

I'm at the Virus Bulletin 2014 Conference, taking bets on when we'll see a worm exploiting the #Shellshock bash bug.

When we talk about worm in a malicious computing context, we’re talking about a self-replicating attack where a malicious actor creates code that is able to propagate across targets. For example, we saw a very effective implementation of this with Samy’s MySpace XSS Worm where some carefully crafted JavaScript managed to “infect” a million victims’ pages in less than a day.

The worry with Shellshock is that an attack of this nature could replicate at an alarming rate, particularly early on while the majority of machines remain at risk. In theory, this could take the form of an infected machine scanning for other targets and propagating the attack to them. This would be by no means limited to public facing machines either; get this behind the corporate firewall and the sky’s the limit.

People are working on exploiting this right now. This is what makes these early days so interesting as the arms race between those scrambling to patch and those scrambling to attack heats up.