Bash ‘Shellshock’ Bug – Now You Can Panic

UPDATE: The initial round of patches to fix CVE-2014-6271 have proven ineffective at fully resolving the issue; a new CVE code has been issued, “CVE-2014-7169“, use this to track news and updates regarding this bug and patch status.

Remember Heartbleed? Get ready to bleed again, ‘Shellshock’ looks set to equal or even exceed it.

Got anything nice planned for the weekend?

Got anything nice planned for the weekend?

Huh?

A short while ago it was publicly revealed that a massive security hole, formal name of ‘CVE-2014-6271‘ and recently christened ‘Shellshock‘, exists in the Bourne Again Shell. Commonly known as ‘bash’, this command-line interface that ships by default with almost all modern distributions of Linux, many commercial variants of UNIX and UNIX-like systems, embedded systems, NAS systems and Mac OS X with Bash as the default shell; currently this includes all versions subsequent to 10.2 (earlier OS X versions shipped with tcsh rather than bash). If you have installed Bash from ported code, even FreeBSD and OpenBSD can be affected, although the base installation for these systems seems secure for now.

To directly quote from the official announcement;

Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.

The critical bug permits arbitrary code to be appended to an environment variable within a Bash environment, or within a service relying upon Bash to process environment variables. This last point is especially concerning, as large tracts of familiar services rely heavily upon Bash processing and Bash environment variables for basic functionality. You may think that your machine doesn’t interact with any Bash scripts, but if your web application calls a Bash shell command like exec(), the potential for exploitation still exists.

Push it. There's never been a better time.

Push it. There’s never been a better time.

Machines vulnerable to this bug are subject to, at the very least, the following remote exploitation:

    • Fork bombing – instant remote Denial-of-Service with a single GET request
    • Data theft – any file accessible (/etc/shadow anyone?) can be exfiltrated
    • Ping flooding – any server can be co-opted to flood-ping another, instant DDoS potential
    • Backdoor installation – a shell can be spawned and bound to a port on the server
    • Rootkits – malicious code can be downloaded from elsewhere and executed directly

Due to the ubiquity of the Bash interface and how deeply interwoven it has become with standard network services such as OpenSSH, Apache webservers, Common Gateway Interface and any number of daemons like DHCP it is now trivial to remotely exploit a Bash-dependent service for arbitrary code execution.

A not-so-subtle visual metaphor

A not-so-subtle visual metaphor for our current situation

This is just as bad as it sounds. A quick Google search for vulnerable CGI servers reveals results numbering in the millions.

Who is at risk?

Anyone responsible for a machine that runs Bash, right now, personal or otherwise, that is even vaguely connected to the internet. That’s a sizeable chunk of normal internet users with computers running Mac OS X or any Linux-like operating system; this can include Android versions that run bash, this can include your home servers and NAS boxes if they run embedded Linux with Bash.

It also includes an enormous proportion of what people think of as ‘The Internet’: production servers, web servers, firewalls and databases, anything that is touched by the current Bash codebase is plagued by this vulnerability and must be patched immediately.

The smart money says, all these servers need a patch

The smart money says, all these servers need a patch

What can I do?

Update your Bash-enabled systems, all of them. Right. This. Second. Stop reading this blog post and apply your patches. If a patch is unavailable, apply mitigations as suggested by your vendor until the patch is released ; if no mitigations are available either, consider creative alternatives or shout at negotiate with your software vendor until they make some available. Once that is done, check with the following Bash code snippet:

x='() { :;}; echo vulnerable' bash

If following this your command line outputs the string ‘vulnerable‘ then bad luck, you have a problem, as a patch is not yet available for your system and it remains vulnerable to attack. It is critical that you pursue a patched status as aggressively as possible, this is honestly not something that can wait longer than it needs to. Keep an eye on the news released by your software vendor, Apple in particular can occasionally be somewhat reticent in their patching of major vulnerabilities.

Seriously Apple, no rush fellas.

Seriously Apple, no rush fellas.

Certain vendors such as RedHat are producing quick-fix mitigations to reject the incoming bad code, but as poorly understood as the variety of vectors are it is unlikely that all avenues can be covered by band-aid solutions. The only true path to salvation is to apply all the patches from the Bash upstream codebase and rebuild / update your Bash installation.

For critical machines without available patches, the good option is to rebuild the Bash packages manually with the updated source code. The procedure varies from system to system, we can only advise you to refer to the current upstream codebase for rebuild instructions.

If it is simply impossible for a machine to receive a patched Bash version, the easiest solution is simply to eliminate the possibility of Bash being called. This can be accomplished by altering the file structure to replace calls to Bash to Dash or another unaffected shell. This may very well break some scripts or calls, so use with extreme caution;

$mv /bin/bash /bin/_bash
$chmod ugo-x /bin/_bash
$ln -s /bin/dash /bin/bash

Why all the concern?

For a start, Proof-of-Concept exploit code is already floating around on Pastebin, so the cat is very much out of the bag mere hours after the official announcements. Patches have already been released by major vendors to coincide with the lifting of the public embargo on this information, so the security teams of major Linux distributions certainly consider it of the very highest priority.

Depending on system configuration and levels of inbuilt security, the potential vectors include, but are in no way limited to, the following:

    • Malicious HTTP-GET requests running code against public-facing web servers
    • Crafted SSH connections abusing allowed scripts like rsync and rlogin
    • Crafted CUPS print requests delivering exploit code between networks
    • Rogue Wifi Access Points delivering hostile code via the DHCP negotiation process

The full range of vectors by which this bug can be exploited hasn’t been explored yet, but even the earliest indications are all bad news and getting worse. Remote code execution appears to be a reality for the overwhelming majority of Bash-enabled systems, which in turn represents the majority of internet-connected computers.

An even less subtle visual metaphor

An even less subtle visual metaphor for next week’s situation

Crucially, this form of vulnerability is very attractive to the authors of malware, viruses and worm code due to its simplicity, flexibility and universal presence.

Patch Bash as soon as possible.

Further Reading

Posted in Apple, Current Threats, General Security, Web Security | Comments Off

Google Hacking – Making Use of the All Seeing Eye

You don’t need me to tell you, that the Google search engine is a vast and powerful tool. Or that, Tor aside, it pretty much holds the whole of the Internet in the palm of its hand. What you may not know, is that the Google behemoth might have more information about your websites than you do (or at least, more than you would like it to).

But the good news is, using a technique known as Google Hacking, it’s quite simple to leverage Google’s extensive resources to your advantage. Effectively turning the search giant into a quick, cheap and easy tool to detect vulnerabilities, and alert you to malicious activity on your websites.

Blue eye

I Spy With My Little Eye
Credit: Fabio

Google Hacking – What is it?

Don’t be put off by the flamboyant name; Google Hacking is actually just making clever use of Google’s built in Advanced Operators, to search for telltale signs of abuse, vulnerabilities, or just information you’d prefer wasn’t publicly accessible.

Is it Legal?

Against domains for which you are the administrator, or are otherwise appropriately authorised, Google Hacking is definitely legal (in the UK at least). Beyond that, we would strongly discourage you from trying these techniques out on other websites. If in doubt, always ere on the side of caution.

One thing to note at this point; making repeated searches using advanced operators can appear suspicious, and is likely to trigger Google’s own security alerts. While experimenting, expect to solve a captcha (to prove you’re not a bot) every now and then.

Three robots

Google may think you’re a robot, try not to take it personally!
Credit: Jeff

How can I use it?

Google operators are added as part (or even the entirety) of a search query, and use the following syntax:

operator:term

Different operators can be combined, possibly along with a keyword search, to create a very specific overall search.

An important step to start with, is to narrow your search to a specific domain. This is achieved by using the ‘site:’ operator, for example:

site:example.ox.ac.uk exam

Will do a search for the word ‘exam’, but only on pages in the example.ox.ac.uk domain.

Replace the word ‘exam’ with the name of a common, branded pharmaceutical product, for instance; and you have a convenient way of checking whether any of your sites have been hacked and defaced with references to the aforementioned drug. Often, these defacements are done in such a way that they only become obvious when the site is accessed with the Google user agent, meaning you could visit the site normally via a browser every day and never find the problem.

The ‘inurl’ operator, predictably, searches for a term within the URL. This can be especially useful for turning up pages you’d rather weren’t Internet-facing. Because if Google can find it, so can anyone who might just fancy trying to brute force an inadequate password, such as in the example below:

site:example.ox.ac.uk inurl:phpmyadmin/index.php

Another way to make use of Google hacking is to search for old (and vulnerable) web platforms. For example, the following could turn up webservers running IIS 5.0, based on their error messages:

site:example.ox.ac.uk intext:”404 Object Not Found” Microsoft-IIS/5.0

This post only covers a few examples of what can be achieved, but hopefully it will give you enough to get started and begin to see some results!

Pills on a keyboard

Is your website being used to peddle pills?
Credit: Mattza

What else can I search for?

Apart from experimenting with your own searches, the Google Hacking Database is an excellent resource. Many of the examples in this post come, in whole or in part, from this website. Google searches are recorded here under useful and faintly entertaining categories, such as ‘Files containing passwords’ and ‘Sensitive Online Shopping Info’.

Posted in General Security | 1 Comment

5 Million Google Accounts Leaked

Details are emerging of a very recent large-scale leak of Google’s account database, centring around their flagship email service Gmail. Google’s official word on the subject can be read here.

CC Wikimedia Commons

CC Wikimedia Commons

The credentials were posted to a Russian BitCoin mining forum earlier this week. It is understood that the list of compromised accounts has been in circulation since at least September 8th, the exact date of the compromise is thought to be around this time but not precisely known.

Current estimates indicate that around 5 million Gmail credentials are involved in the current leak, although what proportion of them are currently active is unclear; Google themselves are estimating only 2% of the leaked credentials are current credentials. What is clear is that at least some users of Gmail will need to look into changing their passwords as soon as possible, and there is currently no way of knowing which credentials are ‘live’ and which are not.

What can I do?

OxCERT currently advise all users of Google services, including Android Market Services and Chromecast devices, to review their passwords and to take this opportunity to update them. Regular password updates are always good practice, and this recent incident is sound motivation to apply a new and strong password to your Google accounts.

Users concerned about their Gmail security can visit a webpage run by Microsoft-employed security tester Troy Hunt, which (securely) checks your email address against this recent and many other data breaches against major service providers in recent years. The colourfully-titled ‘Have I Been Pwned?‘ can be accessed from this link or by clicking the image below. This service checks your email address against the list of compromised accounts, and can indicate if you are at greater risk. Users are advised that this list is not perfectly accurate.

Well, have you?

Well, have you?

A very important concern is that for the sake of convenience, many users like to use the same passwords for many different services, for example Facebook, Gmail, and University email.

If you have used your current Gmail password for you University SSO credentials also, OxCERT would strongly advise you to update your University credentials to a unique password as soon as possible.

"Good Morning Vietnam!" is a great password. "Grandma64" isn't.

“Good Morning Vietnam!” is a great password. “Grandma64″ isn’t.

Sharing passwords across accounts is generally ill-advised, and this incident highlights how easily a breach of a third party could potentially lead to a further compromise of your University email account and any other systems with which a user is entrusted access.

Further Reading

Posted in Current Threats, General Security, Google | Comments Off

Kyle and Stan Malicious Advertising Network

OxCERT have been made aware of malicious adverts, placed on legitimate websites, which redirect to a network of sites that download malware. The malware served is bundled with legitimate applications, it varies based on the user agent and is known to target both Windows and Mac machines accordingly.

The adverts are understood to have first appeared in early May 2014, and have been displayed on several popular websites including amazon.com and youtube.com.

To help protect yourself, please remember:

  • Be cautious, even when visiting a site you trust
  • If a download begins unexpectedly, do not open the received file
  • Ensure anti-virus is installed and up to date*

* Please note, the “Kyle and Stan” network serves a subtly unique package of software every time, this interferes with anti-virus detection – proving that while anti-virus programs are important, they are by no means a panacea for all ills.

For further information please see Cisco’s excellent blog post: https://blogs.cisco.com/security/kyle-and-stan/

Beware unexpected diversions credit: Daniel Lobo

Beware of unexpected diversions
credit: Daniel Lobo

Posted in Current Threats | Comments Off

Scam Calls Claiming to be from IT Services

OxCERT have been made aware of scammers, calling from international numbers, claiming to be from “IT Services at 146 Banbury Road”. These calls seem to be in a similar vein to the “Microsoft” scam calls described here: http://www.actionfraud.police.uk/microsoft-reveals-extent-of-phone-scam-june11

Please note, the IT Services helpdesk does not make unsolicited phone calls. If you receive a call claiming to be from a representative of IT Services please exercise caution, especially if any of the following points apply:

  • You are not a member (or previous member) of the University
  • The call is unsolicited
  • The call comes from a number outside of the UK

If in doubt; we suggest asking the caller for a contact number, if they refuse to supply one, or give a non-Oxford (01865) number, it is highly likely to be a scammer.

If you are a member of the University of Oxford, and believe you may have fallen for this scam, please contact: help@it.ox.ac.uk

Further details will be added to this post as they become available.

A new twist on an old scam. credit: Frédéric BISSON

A new twist on an old scam
credit: Frédéric BISSON

Posted in Current Threats | Comments Off

New e-Mail Malware Campaign, “Order Number…”

OxCERT have received a large number of reports regarding a large-scale malware distribution campaign currently targeting University staff and users.

This campaign operates by email, with the distinctive subject line ‘Order Number 86514719983′; the number seems to be random and many users are reporting many different numbers:

If you receive a mail like this, DELETE IT!

If you receive a mail like this, DELETE IT!

These emails universally offer a malicious attached .zip file with a string of random numbers in the name; the zip file contains a .dat and a .bat file, which contain strains of malicious software that are currently undetectable to most Anti Virus products.

To reiterate:    most antivirus packages are currently ineffective against this malware.

The only defence is common sense; do not download attachments from emails with the subject line similar to ‘Order Number: 86514719983′ unless you have absolute faith that it is an expected and legitimate attachment. We are submitting samples to Sophos who will begin to update their signature database in due course, but the VirusTotal scores for this malware are still very poor:

virustotal-malware-scores

Only a minority of AV packages detect this malware

Do not download these attachments, delete them from your machine if you already have.

Becoming infected by this malware depends on several factors:

  • You are running a Windows-based machine; Linux, Mac and others are unaffected
  • You have received and downloaded the .zip attachment
  • You have unpacked the .zip attachment, and executed the .bat file

If you have not run the files as described, you are likely not affected. If any users are concerned that they may indeed have run the compressed attachment, it is important to contact OxCERT immediately as your personal files and University credentials may be at risk. Please inform colleagues as appropriate.

UPDATE: The malware in question seems to be the well-known ransomware package CryptoLocker . This malware encodes all of the documents on the infected machine and then demands payment from the user in order to unlock the files again. If you see a screen such as the one below, your machine is infected with CryptoLocker. It is essential that you contact local IT Support.

CryptoLocker-Malware

I wouldn’t pay them a penny, either

UPDATE 2: A new variant of this campaign is being widely reported by University users, in which the .zip file is instead replaced by an .arj file containing the malicious .exe . It is important to note that very few cloud-based antivirus engines scan .arj files as they are quite obscure and deprecated compared to the popular formats .zip, .gz and .rar. This format is currently affecting the personal email accounts of certain staff, particularly Google users as Gmail does not scan .arj files either.

 

Stay safe out there.

Further Reading:

Posted in Current Threats, Email, General Security | Comments Off

Scam Emails Offering Legal Practice Course Funding

We’ve just been made aware of scam emails having been received by students at other Universities who have completed their law degree.  The scam falsely states that True Personal Injury Solicitors is a government body that can assist students by partially funding their LPC course.

No reports of the scam being received by Oxford students as of yet but law students should keep an eye out.  For more details see the Solicitors Regulation Authority Alert.

Posted in Current Threats | 1 Comment

2014 FIRST Conference: Friday

Imperial Ballroom, Boston Park Plaza

Imperial Ballroom, Boston Park Plaza

The final day of the conference began with a keynote from Bruce Schneier of Co3 Systems, generous sponsors of the banquet on Wednesday. This was entitled “The Roles of People and Technology in Incident Response”. He discussed the types of attacks seen today, the contribution of network effects (and of vendor lock-in) in the IT market – arguably less of a problem in the security market, especially when it comes to incident response tools, but it is hard to identify the best products and they are generally not the most successful. He went on to discuss how humans can be bad at dealing with risks, especially when it comes to investing in mitigation against things that might not happen. Nevertheless, there is a growing realisation that security incidents are not a matter of “if” but “when”, and management are more willing to invest when they are scared. During questions Bruce touched on the subject of encryption, stating that while one-click email encryption with PGP exists, it is one click too many for most users.
Sailing on the Charles River

Sailing on the Charles River

For the final talks I attended, Mikko Karikytö of Ericsson gave a high-level overview of an incident involving telecommunications fraud through one of their partners. This was followed by Jake Kouns and Carsten Eiram on “Evidence Based Risk Management and Incident Response”. While we may often be critical of the time it takes major software vendors to patch vulnerabilities, the situation can be far worse with manufacturers of SCADA (supervisory control and data acquisition) systems, who are relatively new to the security concepts long learned by the major IT companies. In one case a delay of 451 days was observed between the reporting of a vulnerability and patches being released.

Prudential Tower and Quest Eternal

Prudential Tower and Quest Eternal

The conference closed with a summary of some of the activities during the conference, thanks to all involved in making it a success, and not least the raffle for numerous vendor prizes. As is traditional, Masato Tereda presented the final results of his attempts to meet all conference attendees, and described this in the manner of a spreading malware infection, complete with CVSS scores and data in the STIX format for exchange of threat information.

As usual the conference has been a great success, and has included a number of enlightening talks on a huge range of topics, as well as the opportunity to meet with people from a wide range of countries, organisations and perspectives. For me some the most interesting presentations have been regarding the non-technical aspects of incident response, in particular effective collaboration between multiple teams, and the importance of regular incident response drills covering a range of scenarios, so that the organisation can respond more effectively when a major incident is for real.

Posted in FIRST Conference | Comments Off

2014 FIRST Conference: Thursday

Downtown Boston from the Arnold Arboretum

Downtown Boston from the Arnold Arboretum

Day four of the conference started with a keynote from Intel’s Malcolm Harkins, “Business Control Vs. Business Velocity – Practical Considerations for Business Survivability in the Information Age”. This looked at the relationship between security teams and the needs of their businesses as a whole, with a philosophy of “protect to enable”. If security measures are seen by users as obstructive, they will work around them and potentially increase the overall business risk.

Johan Berggren of Google then spoke about digital forensics, in particular a tool named GRR (Google Rapid Response) devised to enable system forensics to be run across their systems, regardless of operating system or physical location, without the need for additional physical resources. Olivier Thonnard of Symantec followed this with a talk on the evolution of targetted attacks over the past three years. These themes then continued with Junghoon Oh of Ahnlab looking at forensic analysis of lateral movement of a targetted attack in a Windows environment, using some of the methods discussed earlier in the week.

Paul Revere: effective communicator

Paul Revere: effective communicator

Peter O’Dell of Swan Island Networks spoke on the theme of “Cyber Security for Board of Directors and Senior Management”, looking at how to ensure that appropriate attention is given to cybersecurity risks at the top level within an organisation, with clear and effective communication of the risks, and realistic cost-effective proactive measures that can reduce them.

The final talk of the day looked at pBot botnets, something of an unusual family in that they take control of webservers as opposed the desktop and laptop systems targetted by most botnets. Vulnerabilities in popular content management systems such as WordPress and Joomla are exploited using remote file inclusion attacks to take control of the systems, with a command and control infrastructure based upon IRC but generally running on ports more usually associated with other protocols.

USS Constitution

USS Constitution

Presentations concluded early for the day in order to make way for the FIRST Annual General Meeting. This is always an important part of the conference and the need for all teams to be represented, either in person or by proxy, is repeatedly stressed. As well as elections for the steering committee, this year’s saw the approval of a major change to the structure of the organisation. Reports were presented on all major aspects of FIRST’s activities. Of particular interest to me was a comment by Seth Hanford on Cisco regarding the well-known Common Vulnerability Scoring System. Back in April, the Heartbleed bug struck, prompting Bruce Schneier to comment “On the scale of 1 to 10, this is an 11.”. The current version of CVSS (version 2) scored Heartbleed a mere 5.0 (out of 10), which served both to highlight the need for an updated system, but also to demonstrate that a single numeric score cannot always summarise the full risk and impact of a particular vulnerability.

Posted in FIRST Conference | Comments Off

2014 FIRST Conference: Wednesday

Charles River and city skyline

Charles River and city skyline

The third full day of the conference began with a keynote presentation by Andy Ozment of the Department of Homeland Security, entitled “The Role of DHS in Securing our Nation’s Cyberspace”, exploring the business of protecting US government, businesses and critical national infrastructure, and the challenges of outreach at board level – a question raised far too frequently is “why would anyone want to hack us?”.

Next for me was a talk on open-source security issues, followed by one on identification of the “root” cause of reported incidents. The aim of this project is to produce a simple taxonomy through which, with the aid of a flowchart, the underlying cause of a security incident can quickly be identified as belonging to a number of basic categories, including zero-day exploits and socially-engineered vulnerabilities. We already use a system of standard incident categories which are based on the consequences of incidents; such a taxonomy should help us to record at a basic level the cause of each incident too, although inevitably a substantial number are likely to be of unknown cause.

Faneuil Hall

Faneuil Hall

After lunch was a talk by Paul Vixie on the Operations Security Trust project, which aims to create a thriving community of trusted security colleagues through which sensitive and confidential information can be shared, without fear that the information may be used irresponsibly. I followed this with a talk by Pascal Arends of Fox-IT with the title “Investigator of Interest – Our Philosophy of Adaptive Incident Response to Turn
the Tables During an Investigation”. This considered how to respond effectively to a major intrusion while unsure as to the extent of the intrusion or to which the attackers are watching your response. Some tactics give far less away than others. For example, running tools such as tcpdump on a compromised server may be readily visible to the attackers; taking a copy of the traffic through a network tap is less noticeable but will require a temporary disconnection of the link; enabling a SPAN port on a switch will likely go unnoticed.

The penultimate talk of the day was one by Robert Pitcher from the Canadian Government regarding security exercises, and how to ensure that all those likely to be involved in response to a real-life incident can become familiar with their role through table-top exercises and incident simulations. This proved a most illuminating talk; it is evident that the University’s response to major incidents has at times been less than perfect and there is definite value in being better prepared so that when such incidents do strike, we can respond more quickly and effectively.

The concluding talk covered a malware analysis framework named Dorothy2. Malware analysis is a topic of particular interest to us, and while this may not be our chosen path as we develop our capabilities, it is interesting to hear about the alternatives available.

Not quite the Boston Symphony Orchestra...

Not quite the Boston Symphony Orchestra…

Traditionally, the Wednesday evening of the FIRST conference is the conference banquet, and previous years are hard acts to follow, not least after the elephants last year. This year’s chosen venue was the seemingly more sedate Boston Symphony Hall, from the hotel a gentle walk through the Back Bay area of the city. The dinner itself took place in the main auditorium, and while it was only natural that there be a musical theme to the after-dinner entertainment, few of us quite knew what to expect. We were treated to a performance by local band Decades by Dezyne, featuring a variety of popular soul and R&B numbers, several costume changes and one or two surprise “guest appearances” including James Brown. In all a most enjoyable evening’s entertainment.

Posted in FIRST Conference | Comments Off