NetFort Advertising

Detecting CVE-2014-6271 Bash Vulnerability ShellShock Attempts


What is with all these new fun and exciting vulnerabilities we have encountered recently like Heartbleed and ShellShock?

Both of these are a very big deal for anyone in IT whether you are in a general admin role or an IT Security position. In most cases, it will be up to system administrators and software companies to issue patches.

Both have existed for years and remained unnoticed or have they? Someone else has surely noticed these before they had been made public and abused them to gain access to systems and this does not just include Government Actors who are known to hoard all of the vulnerabilities they find but Threat Actors too just out to infiltrate as much as they possibly can and cast the widest net they can and ultimately becoming an Advanced Persistent Threat (APT).

Regarding the name ShellShock it seems to have originated from this twitter page by Andreas Lindh and Robert Graham the image above is also Andreas creation and is quite a cool image at that which grabs your attention. The researcher who discovered it however was Stephan Chazelas.

In my short video which you watch below I show you how easy it actually is to exploit this vulnerability of which has many different attack vectors which include Linux OS, Apple OS, DHCP, SSH, OpenSSH, OpenVPN, Apache, Embedded devices, rooted phones, SCADA systems powering our infrastructure, the list goes on and if you are using Windows and have CygWin installed you may also be vulnerable to the recent vulnerability.

Looking at one of these different vectors and breaking down this vulnerability in an Apache environment which requires mod_cgi to be enabled is quite simple for the Threat Actor who has found this vulnerability on your server possibly by using curl to see what headers are available to them.

  • Now if we look at the file output in the cgi file we just created you will see a similar output:
  • Next the attacker tries to connect to your Apache server using curl and the handy User-Agent flag in curl with netcat listening on the attacking machine:
  • Curl using the User-Agent flag creating a reverse tcp shell on the target machine with the bash vulnerability:
  • Looking at the initial curl command a bit closer we can see that the host has accepted our connection attempt and the User-Agent flag contains the reverse shell back to the attacking machine:

As of the 7th of October 2015, Malware Must Die posted on their blog the threat known as “Mayhem” in which the white-hat security research workgroup performs a detailed analysis of the infection and warns that we have not seen the final wave of this bash vulnerability yet.

What have we learned from this vulnerability? Maybe that we should not always take for granted that we are secure and that the best form of defense is a layered approach which incorporates NetFort forensics in which you can look back in time and see what happened in the event of a breach.

I know for a fact that some people out there would not have known their systems had been hit had they not been able to go back a few days or months simply and quickly to check with a nice report and pass it on to their security team to investigate with all the detail required to pass on to the authorities if needed.

Know your traffic.

Keith Bennett