SHELLSHOCK

22-year-old vulnerability struck, is it worse than Heartbleed ?

Learn how to detect and patch >>

The bug, dubbed Shellshock, can be used to remotely take control of almost any system using Bash,
researchers said.
Experts said it was more serious than the Heartbleed bug discovered in April.

A Critical remotely exploitable vulnerability has been discovered in the widely used Linux and Unix
command-line shell, known as Bash, aka the GNU Bourne Again Shell, leaving countless websites,
servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals.

Earlier today, Stephane Chazelas publicly disclosed the technical details of the remote code execution
vulnerability in Bash which affects most of the Linux distributions and servers worldwide.

REMOTELY EXPLOITABLE SHELLSHOCK:

The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as
Bash Bug, and Shellshock by the Security researchers on the Internet discussions.

According to the technical details, a hacker could exploit this bash bug to execute shell commands
remotely on a target machine using specifically crafted variables. In many common configurations, this
vulnerability is exploitable over the network, Stephane said.

A 22-year-old vulnerability stems from the way bash handles specially-formatted environment variables,
namely exported shell functions. When assigning a function to a variable, trailing code in the function
definition will be executed.

BASH BUG AFFECTS MILLIONS OF SYSTEMS
While bash is not directly used by remote users, but it is a common shell for evaluating and executing
commands from other programs, such as web server or the mail server. So if an application calls the
Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to
insert data, the web server could be hacked.

In Simple words, If Bash has been configured as the default system shell, an attacker could launch
malicious code on the server just by sending a specially crafted malicious web request by setting headers
in a web request, or by setting weird mime types. Proof-of-concept code for cgi-bin reverse shell has
been posted on the Internet.
Similar attacks are possible via OpenSSH, We have also verified that this vulnerability is exposed in
sshbut only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a
number of factors; including calling other applications through a shell, or evaluating sections of code
through a shell. Stephane warned. But if an attacker does not have an SSH account this exploit would
not work.
This is a serious risk to Internet infrastructure, just like Heartbleed bug, because Linux not only runs the
majority of the servers but also large number of embedded devices, including Mac OS X laptops and
Android devices are also running the vulnerable version of bash Software. NIST vulnerability database
has rated this vulnerability 10 out of 10 in terms of severity.

HOW TO CHECK FOR VULNERABLE SHELL:

To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:
env X="() { :;} ; echo shellshock" /bin/sh -c "echo completed"
env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"
If you see the words "shellshock" in the output, errrrr then you are at risk.

BASH BUG PATCH
You are recommended to disable any CGI scripts that call on the shell, but it does not fully mitigate the
vulnerability. Many of the major operating system and Linux distribution vendors have released the new
bash software versions today, including:

> Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
> CentOS (versions 5 through 7)
> Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
> Debian

If your system is vulnerable to bash bug, then you are highly recommended to upgrade your bash
software package as soon as possible