pixel_dreams - Fotolia
Weeks after the Shellshock vulnerability found in the Bourne-again-shell (Bash) was first publicized, the Unix shell code is being linked to a variety of emerging attacks, including an alleged attack against Yahoo Inc.
The originally reported Bash vulnerability, CVE-2014-6271, presented attackers with an easily exploitable flaw that could be triggered remotely by attaching additional malicious code to the end of a function being read by the Bash shell. The bug represented a major security issue for Linux-based systems, which featured Bash by default, and has since been used by attackers against a variety of targets.
New Bash security flaws found in NAS products, SSH key management
For instance, James T. Bennett and Josh Gomez, researchers with advanced threat-detection vendor FireEye Inc., said in a blog post last week that the Milpitas, Calif.-based company had spotted Bash exploits against Network Attached Storage (NAS) systems. The exploits allowed attackers full access to certain NAS systems, according to the FireEye researchers, who warned that key enterprises systems could be vulnerable; NAS is often used by corporations to house databases and store large quantities of files.
"We have evidence that attackers are actively exploiting the time-to-patch window and targeting embedded devices, specifically those made by [NAS vendor] QNAP, in order to append their SSH key to the authorized_keys file and install an ELF backdoor," said FireEye's Bennett and Gomez. "Based on the sheer number of devices [that] run an embedded Linux OS and the time-to-patch window, we feel the potential for wide-scale compromise of network-connected personal and business data storage systems is very high at this time."
Tatu Ylönen, chief innovation officer for Helsinki-based SSH Communications Security Corp., noted in a press statement Shellshock can indeed be used by malicious actors to inject a Secure Shell (SSH) key, providing them the ability to remain unnoticed for years if such keys aren't managed.
"This emphasizes the importance of properly scanning and managing SSH keys," said Ylönen. "It is not enough to just discover the keys -- they must be also compared and audited against approved keys."
New vulnerabilities may render Bash patches ineffective
As enterprises race to apply vendor-supplied patches before attackers can exploit Bash security flaws, new research suggests many patching efforts to date will prove ineffective, likely leaving IT security teams to deal with another round of software updates.
In a blog post last week, Michal Zalewski, a security researcher with Google Inc. and renowned bug hunter, revealed two more unique Bash vulnerabilities. CVE-2014-6277 and CVE-2014-6278 are both based on research into the original Shellshock flaw.
Zalewski said that CVE-2014-6277 is perhaps the less interesting of the two findings because it requires a "degree of finesse" to exploit it when compared to the original bug, but the memory-corruption flaw could still allow remote code execution if exploited.
CVE-2014-6278, however, can be exploited largely in the same manner as the original Shellshock vulnerability, namely via weaknesses in the way Bash handles environment variables by adding code to a function. The problem with Bash, noted Zalewski, is that its internal parser continues to parse code past the end of a function definition.
"At that point, [Bash] flat out executed whatever instructions it came across, just as it would do in a normal bash script," said Zalewski, adding that a patch from Red Hat Product Security Researcher Florian Weimer fixes even CVE-2014-6278. "Given that the value of certain environmental variables can be controlled by remote attackers in quite a few common settings, this opened up a good chunk of the Internet to attacks."
In a separate discovery this week, researchers at Belgium-based advisory firm The Security Factory uncovered a flaw in Windows shells that could be exploited in a similar fashion to Shellshock, potentially exposing Windows-based systems.
Though Windows systems remain unaffected by any Bash security vulnerabilities, the company said on its website that the built-in environment variable "%CD%" could be utilized to manipulate other variables in limited cases, notably old file servers that run outdated scripts.
One exploit scenario could involve an attacker who creates a directory with malicious code on a file server, said the company, which could be used to install malware on a victim's machine if a script sends it to the directory.
In response to The Security Factory's research, Microsoft said it would not release a patch because the issue is a result of running a vulnerable script, and advised enterprises to simply wrap %CD% in quotation marks to resolve the issue.
The Security Factory warned, however, that the file-server exploit demonstrated on its website is just one of several potential exploit avenues available to attackers.
"Any other way found by an attacker to insert an "&" in a custom or built-in environment variable could trigger malicious programs, when used by a command-script," said The Security Factory on its website. "For example, a domain-user containing an "&" character in its name (%USERNAME%) could in the same manner trigger malicious code, although an effective exploit scenario has not yet been identified for this case."
Yahoo CISO denies Bash-related server exploit
Meanwhile, Yahoo CISO Alex Stamos has denied claims made by Future South Technologies LLC President Jonathan D. Hall that the Web giant was victimized by attackers utilizing the Bash security flaw.
According to Hall's research, Romania-based attackers infiltrated multiple servers on the Yahoo network by running scripts designed to force those systems to join a botnet used for DDoS attacks. Hall also hinted that the attackers were working toward gaining control of Yahoo Games servers, which could potentially serve up Java-based exploits to millions of online visitors.
In a post on the Hacker News forum, Stamos said that Yahoo's systems have not been breached in the manner described by Hall, though he noted three of Yahoo's Sports API servers were subjected to attackers, who were probing for systems vulnerable to the Bash flaw. Stamos further clarified that the affected servers had been isolated from the rest of the Web giant's network.
"We conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock," said Stamos, though Hall does not accept those details. "Let this be a lesson to defenders and attackers alike: Just because exploit code works doesn't mean it triggered the bug you expected!"
Need more info on Shellshock? Learn how attackers are already exploiting the Bash vulnerability.