UPDATE: Tripwire VERT has delivered robust coverage for the new ‘BashBug/ShellShock’ BASH vulnerability (CVE-2014-6271) in ASPL-582. To find the BashBug/ShellShock vulnerability in your environment with Tripwire IP360, simply update to the latest ASPL release and run your scans as usual.
Tripwire VERT is actively researching and investigating the many facets of the new ‘ShellShock’ BASH vulnerability, CVE-2014-6271 and expects to deliver coverage in ASPL-582 on Friday, September 26th.
ShellShock is a unique vulnerability due to the many attack vectors already identified and the assumption that many other vectors have not yet been identified. This vulnerability is a true remote code execution issue and has already been tagged with the term ‘wormable’.
ShellShock takes advantage of a vulnerability in BASH (one of the shells available on modern *nix operating systems). BASH is essentially a limited programming language and supports the declaration of both variables and functions (known as shell variables and shell functions). To store and use a function, the user updates an environment variable with the value of the function. However, BASH reads all input to the environment variable, which may include more than just the function definition.
As you can see, the whoami statement is executed. The following bash call is required as we need an execution that calls the environment variable and processes it. This is why the vulnerability doesn’t execute as soon as you store the variable.
Keep in mind that we’re looking at the local version of this vulnerability; there are many remote vectors. The most popular discussion point is the execution of CGIs on websites. Many CGIs pass data to BASH and all of them are vulnerable. In addition to CGIs, people have been discussing OpenSSH, DHCP, and a number of other potentially vulnerable services.
Tripwire Vulnerability Management Solutions
For today, we are releasing a tool, available from the Tripwire VERT github and custom rules for IP360 customers.
The tool can perform three styles of tests:
- Local test (of the bash shell)
- Remote HTTP(S) test
- HTTP(S) test based on spidering a local directory
Instead of target, you can use targets to specify a file with a list of address:port combinations and instead of path, you can use paths to specify a list of paths to test. Combined, you can use these to scan multiple locations quickly. Additionally, you can use the log option to write the results to a log file.
The IP360 Rules
You can add additional test paths / files by appending them to the paths list.
VERT is continuing to investigate other exploit vectors and vulnerable services on an ongoing basis and we will continue to expand our coverage as we learn more about this vulnerability.