Qualys Blog

Johan Brissaud

Shellshock: Is Your Webserver Under Attack?

Shellshock has just appeared and already it has left the security industry stunned. Discovered by Stéphane Chazelas of Akamai in bash (the Bourne Again SHell), this new vulnerability is very simple to exploit. And because Bash is everywhere on Linux and UNix-like machines and interacts with all parts of the operating system, everyone anticipates that it will have lot of repercussions.

How Shellshock Works

When a new bash process is launched, it comes with shell variables propagated from the parent process environment (ex: MY_ENV="ENV_VALUE"). But bash also supports a feature allowing the propagation of shell functions. When imported from the environment, shell functions are named by the environment variable name ("MY_ENV" in this case). And the function definition will be contained in the environment variable value starting by "() {".

The problem occurs in the bash parser, which incorrectly does not stop processing after the function definition, continuing to analyze the remaining string and executing the shell commands that follow the function definition. As soon as bash is spawned with an environment variable with a value in the format of "() { ignored; } ; command", the defective function parser is activated and the extra command is executed during the shell instantiation.

What is truly scary with this newly discovered vulnerability is the sheer number of potential attack vectors. Many systems use user provided data to feed environment variables. Problems have already been identified in SSH which allow bypassing restrictions set by administrators (limited shells). DHCP attacks will soon appear, allowing fake DHCP servers to execute shell commands on vulnerable DHCP clients. And we can already predict the appearance of application-specific attacks in lots of domains, e.g. SCADA systems and embedded systems.

But many researchers agree that the most critical attack vector is web servers. Exploitable remotely and with thousands of vulnerable machines accessible on the Internet, experts are currently waiting for the first mass exploitation worm to appear.

How Shellshock is Impacting the Web

With the CGI specification, a webserver maps some part of the web request to environment variables accessible by CGI scripts. For example, the host header will be accessible through the environment variable REMOTE_HOST. The protocol part of the request will be accessible through HTTP_PROTOCOL. Specific headers will be mapped to environment variables as well. Since all of these values are fully controlled by an attacker, he is able to inject environment variables inside all bash process spawned by a web server under the CGI specification. This will occur directly if the CGI script is programmed in bash or indirectly by system calls inside other types of CGI scripts since the environment will propagate to the sub-shell. The vulnerability will automatically be triggered at the shell process instantiation. Furthermore if specific headers are used as attack points, the payload may not appear in the webserver logs, letting a compromise occur with virtually no trace of the intrusion.

In short, all bash CGI scripts are currently vulnerable to stealth remote command execution attacks. And a lot more potential holes lie just under the surface.

The Good News

From the filtering point of view, this attack is very easy to detect. The payload has to begin by a easily detectable string "() {". Furthermore, it contains a classic remote command execution pattern: a command sequence meta character ";" followed by a shell command.

This fact is well understood by the security researcher who discovered the vulnerability, and Shellshock has been carefully disclosed under embargo to key administrators to incite them to activate network based filtering capabilities. RedHat has already issued some recommended mod_security rules to block this attack, and most other WAF vendors will do the same very soon.

How Qualys Web Application Firewall is Handling Shellshock

Since the first release of the Qualys Web Application Firewall, both variants of ShellShock (CVE-2014-6271 and CVE-2014-7169) are detected by default. The scoring engine rates these attacks as critical. Detection confidence is high, so it is configured to be blocked automatically in the normal and aggressive setting.

Leave a Reply