ITNE2002 Network and Security: Shellshock-The Bashdoor of Linux

is more vulnerable compared to the most recent found vulnerability “HeartBleed” (Delamore and Ko 2015). Even though the typical users do not access the BASH but system administrators do need them as it enables them to issue commands to manage the services.    

The way of exploitation

In Linux, the environment variables give an approach to impact the behavior of the software used on a system (Mary 2015). It is frequently utilized to give a shell to a remote client/users through the telnet, Ssh), a parser to decrypt the CGI scripts used in Apache or others or even give restricted command execution support to the users.

  In addition to that, as the users are able create and add variables and assign, values to that the variables even before the bash shell is called.  This kind of users created variables contains code that is executed by the shell at the time the Bourne shell is invoked.

This vulnerability is considered as a major problem for the UNIX like operating system environments as this vulnerability does not ask need for specialized technical knowledge of the attacker or the intruder but provides a very simple way of acquiring control of a targeted computer or network  and force   it to run any type of code.

 In the event of exploiting a system using the Shellshock vulnerability, the attacker need to inject some environmental variables into Bash of the targeted system so that they can spawn shells on it to execute commands on it. This technical process is actually much easier than it sound, because in most of the cases it is found that some configurations of the web servers will do this for the attackers to exploit the vulnerability. Whenever a user is browsing web and request some web page from any server, they send various types of data, like a “bit” of text that helps in the identification of the browser of the user and cookies that are just strings in which the user can put anything (Delamore and Ko 2015).   If it is found that, the website uses computer generated images (CGI) in order to create the requested page then it passes this type off data to some environmental variable in the Bourne shell.  Thus if some code is utilized in order to generate requested web page is able to spawns a shell then the attacker uses this provided data to launch the attack on the server.

 According to different researches it is found that the GNU Bash processes trailing strings or texts after function definitions that are provide in the environment variables (Mary 2015). This mechanism allows attackers to have privilege so that they can execute arbitrary malicious code using crafted environment variables (Pretorius and van Niekerk 2015). This can be done by vectors involving the Force Command feature in OpenSSH sshd, the mod_cgid and mod_cgi modules in the Apache Server. The command scripts executed by undetermined or unspecified DHCP clients in the network.

Potential impact on the users 

Once any attacker exploits the Shellshock vulnerability of the system of any user then they can do almost anything with the system they want to perform. This includes deletion of files, change in the firmware, configurations etc. Different demos and Kits are available and easily   accessible over the internet to exploit this Bashdoor. In addition to that if the vulnerable devices uses HTTP for data transmission, then a simple command enables the attackers to run any malicious code on the selected remote device of the user (Delamore and Ko 2015). The structure of the code is same as given format,

 Curl -v -A '() {:;}; <some malicious code> <The IP of the device>

Some of the malicious codes that can be used by the attackers includes the following:

Scan for the vulnerable servers or devices in a network

  In this scenario a single line of code will force the targeted server or system to ping to the attacker’s system along with a unique hash value such as “sdasdasd321d34d” (Mary 2015).  After this every device that responds to the attackers ping with the same hash value becomes vulnerable. Example of such code is,  Ping –c 1 –p sdasdasd321d34d.

Denial of Service attacks  

The given code below will help the attacker to make the device wait for 40 seconds and thus consequently slow down the operation of the device (Pretorius and van Niekerk 2015). A full-fledged DOS attack would also requires additional operations that are similar to the previous one:

/bin/sleep 40| /sbin /sleep 40|/usr/bin/sleep 40

Acquiring full control over the device

 In order to execute the ultimate threat for the client systems, attackers uses different commands to download and have remote access to the users system.

Examples of exploitation 

After the discovery of the vulnerability, the area of impact of it is still being investigated by the experts; it is presumed that different Internet-accessible device and systems, like e-mail servers, web servers, DNS servers that uses the BASH in order to connect to concerned operating system, could be severely affected by the attacks exploiting this specific vulnerability. Even though BASH is found mainly on Unix-based operating systems, but infrastructures currently using Windows operating system based devices may still be vulnerable (Delamore and Ko 2015). The reason behind this can be stated the windows based systems are leveraging from the applications that are vulnerable due to its exploitations.  The BASH of the UNIX based systems are also found on embedded systems and different “Internet-of-things” devices.

This vulnerability of bash allows malicious users/attackers to remotely execute different scripts according to their choice by transmitting malicious commands/scripts to the connected system (Mary 2015). Execution of this kind of malicious code allows the attackers to launch and run executables of software on the target system, create connections to another selected system, or malware.

Conclusion

The Shellshock vulnerabilities helps the users to use Bash of a system to forcefully execute different malicious codes/commands passed with the shell command.  This exploitation of the vulnerability includes writing and reading of data, modifications of access rights by the attacker and other basic operations that an administrator can do with the system. Attackers could also utilize this BASH vulnerability to get sensitive data from the compromised system, like authentication data for any user, credit card or other financial details or other sensitive information that are stored on the device or exploited system.

References 

Castro Lechtaler, A., Liporace, J.C., Cipriano, M., García, E., Maiorano, A., Malvacio, E. and Tapia, N., 2015. Automated Analysis of Source Code Patches using Machine Learning Algorithms. In XXI Congreso Argentino de Ciencias de la Computación (Junín, 2015).

Craigen, D., 2014. Assessing Scientific Contributions: A Proposed Framework and Its Application to Cybersecurity. Technology Innovation Management Review, 4(11).

Delamore, B. and Ko, R.K., 2015, August. A global, empirical analysis of the shellshock vulnerability in web applications. In Trustcom/BigDataSE/ISPA, 2015 IEEE (Vol. 1, pp. 1129-1135). IEEE.

Hofbauer, S., Beckers, K. and Quirchmayr, G., 2015. Defense Methods against VoIP and Video Hacking Attacks in Enterprise Networks.

Mallett, A., 2015. Mastering Linux Shell Scripting. Packt Publishing Ltd.

Mary, A., 2015. Shellshock Attack on Linux Systems-Bash. International Research Journal of Engineering and Technology, 2(8), pp.1322-1325.

Pretorius, B. and van Niekerk, B., 2015, January. Cyber-Security and Governance for ICS/SCADA in South Africa. In Iccws 2015-The Proceedings of the 10th International Conference on Cyber Warfare and Security: ICCWS2015 (p. 241). Academic Conferences Limited.

Sahel, S., 2015. Circumventing Insider Trading Laws by Cyberhacking: A Look into the Vulnerability of Cybersecurity Breaches in Regard to Insider Trading. J. Int'l Bus. & L., 15, p.239.

Stasinopoulos, A., Ntantogian, C. and Xenakis, C., 2015. Commix: Detecting and exploiting command injection flaws. Department of Digital Systems, University of Piraeus, BlackHat Europe, Nov, pp.10-13.

Whitelaw, C., 2015. Precise Detection of Injection Attacks on Concrete Systems.