Shellshock bug exposes web servers, home routers

With Shellshock, the recently discovered vulnerability in Bash yet to hit full stride in exploitation, there are numerous systems and devices that are immediately at significant risk of exploitation across the Internet.  Neohapsis Labs has released advance Shellshock guidance to our clients, including immediate considerations, and short and medium term remediation steps to mitigate the impact of the vulnerability. What follows is a guest post by industry acclaimed journalist Byron Acohido on the immediate impact of this vulnerability:

Shellshock bug exposes web servers, home routers

By Byron Acohido

Yes, you should be very concerned about Shellshock, the latest software bug to arise with the potential to degrade the overall safety of the Internet by several notches.

Shellshock, also referred to as Bash, is a glaring weakness in an otherwise innocuous bit of coding that’s been around since 1987. Bash, shorthand for Bourne-Again Shell, is a program that allows you to type commands on computing devices that use the Unix, Linux, Apple Mac and Android operating systems. You’ve encountered  Bash if you’ve ever typed text commands on the black screen sitting behind the graphical interface of your computing device.

The existence of the Shellshock flaw was made public on Tuesday, riveting the attention of the global security community. It’s almost certain elite hacking groups have been aware of the vulnerability for some time prior, and have been taking advantage.

And now the rest of the cyber underground can make hay. The mad scramble is on. Much as they did earlier this year upon disclosure of the Heartbleed bug, companies of all sizes must identify and patch systems exposed to the Shellshock flaw.

“It’s at least equal to Heartbleed for sure,” says Garve Hays, software architect at NetIQ. “Heartbleed was ephemeral, you could gather personal data and move on. But with Shellshock, you can plant a backdoor on a server and stay there for years. It’s the gift that keeps on giving.”

Apache servers targeted

White hat researchers have begun probes to find vulnerable systems. The biggest, most obvious targets are Apache web servers. These Linux-based machines are used to run about one-third of the websites on the Internet.

“System administrators will be working long shifts to go through every single server, router and other piece of equipment that uses the bash shell,” says Jerome Segura, senior security researcher atMalwarebytes Labs.

Big enterprises have the resources and motivation to expedite patching. But hundreds of thousands of small and medium sized businesses will be slow to patch, or never patch at all. In the meantime, every hacker from script kiddies to spammers to account hijackers can now do simple reconnaissance to find and infect unpatched Apache web servers and related networking equipment.

“It’s a race against time,” Segura says. “The bad guys are hard at work trying to hack into affected systems.”

That’s just the first wave. Another obvious target that hacking gangs surely will triangulate are the routers used in home networks and small businesses. Up until about two years ago, Bash was widely used in Linksys, Belkin and many other brands of consumer-grade routers, says NetIQ’s Hays.

Home routers ripe for attack

So if you’re using an older router in a home or small business setting, you should assume the bad guys will soon turn their attention towards seeking out your unpatched router and taking control of it – because it’s simple and profitable to do so.

Bash also comes into play on certain Apple Macs, and certain older versions of Android handsets. Apple issued a statement saying the majority of Mac OSX users are safe from bash exploits.

Even so, it will take some time to determine the full extent of the ramifications of this flaw, says Dr. Mike Lloyd, CTO of RedSeal Networks.

“It’s relatively easy to tell whether the flaw is present, but it’s hard to tell if it’s reachable,” Lloyd says. “The maze of software and configuration interactions is too complicated for a human analyst to be able to say categorically ‘the cheese is exposed, or is not exposed, to the rat.’”

So what can individuals and companies do? Pay close heed to patches and get them installed. Tools are readily available to check whether your network is using a vulnerable version of Bash, says Jeff Schilling, CSO at FireHost.

Advised Schilling: “Step one is to figure out if you have any systems that are vulnerable. If so, how many? Step two is to figure out how to put a compensating control in place to buy time to wait for a patch. Step three, patch your systems in a methodical manner to ensure your most important servers are fixed first.”

More on emerging best practices

3 steps for figuring out if your business is secure

Encryption rules ease retailers’ burden

Tracking privileged accounts can thwart hackers

Impenetrable encryption locks down Internet of Things

Rob Beck’s MS-SQL Rootkit Framework Presentation @ DefCon Skytalks 2014

SQL Gestalt: A MS-SQL Rootkit Framework will be presented by Rob “whitey” Beck (@damnit_whitey) at the DefCon Skytalks 2014 in Las Vegas, NV this year.  This talk will provide an overview of a basic framework for the creation, deployment, operation, and persistence of a MS-SQL rootkit for all versions of Microsoft SQL Server 2005 and above.

Overview

This talk illustrates the various facilities in the MS-SQL database environment for performing code execution.  Using these facilities, attendees are presented with the basis of the SQL Gestalt – A rootkit framework, utilizing various aspects of the SQL core facilities, working in conjunction to provide persistence in the database.

x

This talk benefits pen testers, forensic analysts, and database administrators by exposing methods and tactics that may not be commonly known or widely employed in traditional database compromises. Examples will be provided in a variety of languages including T-SQL, C#, C++, VBscript, and Powershell utilizing SQL facilities such as SQL Assemblies, the Extended Stored Procedure API, SQL Agent, and OLE Automation.  At the conclusion of this presentation a basic framework will be released with sample code to illustrate all of the functionality discussed in this talk.

Talk Agenda

The following topics will be discussed in the presentation:

  • Concept of the SQL Gestalt rootkit
  • Facilities for executable code in SQL
    • Overview
    • Advantages
    • Disadvantages
    • Examples
  • Module installation
    • Deployment
    • Execution considerations
  • Securing a native code execution point
  • Persistence in SQL
  • Advanced rootkit operations