Skip to main content

'Shellshock' Attacks Begin as Problem Spreads

Credit: Lightspring/Shutterstock

(Image credit: Lightspring/Shutterstock)

The "Shellshock" vulnerability disclosed yesterday (Sept. 24) in Mac OS X, Linux and other UNIX-like operating systems may already have been exploited by malware writers, even as security experts debated just how dangerous the flaw is. Australian systems administrator "Yinette" noticed early today (Sept. 25) that someone was trying to remotely install software on a Web server running the open-source Nginx software.

"Looking at string variables, it appears to be a kernel exploit with a CnC component," Yinette wrote in a posting on the Github code-sharing website, in which she also shared the commands sent to her server. (The kernel is the core of an OS, and "CnC" refers to a command-and-control server that sends out further instructions to remotely installed malware.)

MORE: Best Mac Antivirus Software 2014

The commands sent to Yinette's server were modified versions of a "proof of concept" script used yesterday by Robert Graham, CEO of Atlanta-based Errata Security, to test thousands of Internet-connected systems for the Shellshock vulnerability.

"Thanks Rob," the unknown malware writer snarkily wrote in the code Yinette disclosed.

How bad is Shellshock?

Shellshock is a flaw in the Bash "shell," or set of text commands that are used to interface with UNIX-like systems. Bash is standard on Mac OS X and many Linux systems, but while the major Linux developers have already pushed out patches, Apple does not appear to have done so.

Graham last night postulated that the Shellshock flaw is "wormable," i.e. capable of being exploited by self-propagating malware that could travel across the Internet without human intervention.

"This thing is clearly wormable, and can easily worm past firewalls and infect lots of systems," Graham wrote on his blog. "One key question is whether Mac OS X and iPhone DHCP service [Dynamic Host Configuration Protocol, used to initiate Internet service] is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would [be] "game over" for large networks." (Update: DHCP on OS X apparently is not vulnerable.)

Echoing Graham's concerns, the United States government's Department of Homeland Security issued two warnings about Shellshock. Graham and some other security experts warned that "Internet of Things" devices such as routers and Web-enabled video cameras might also be vulnerable, depending on their software setups.

However, Jen Ellis of Boston security firm Rapid7 countered that Shellshock may be more limited in its scope.

"The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue," Ellis wrote on her company's blog. "In order to exploit this flaw, an attacker would need the ability to send a malicious environment variable to a program interacting with the network and this program would have to be implemented in Bash, or spawn a sub-command using Bash."

What is undebatable is that the Shellshock flaw is widespread, and that it's probably been around for decades without anyone noticing it until recently.

How Shellshock works

Bash is the default shell on Mac OS X and many variants of Linux, including Ubuntu. (Android and iOS are also UNIX-like, but Android uses a different shell and iOS, despite Graham's worries, may not use one at all.)

The flaw, discovered recently by French software developer Stéphane Chazelas, appears to affect all current builds of Bash, which has been around since 1989. Chazelas noticed that given certain commands, Bash permits arbitrary execution of code — i.e., it basically lets anything run if you just "introduce" it properly.

If that makes any sense to you, then you can test to see whether your own Linux, Mac OS X or other UNIX-like system is vulnerable by typing this into a Terminal window or command-line interface:

env x='() { :;}; echo oh hi' bash -c "echo you have a problem"

If you receive this as a reply:

oh hi
you have a problem

…then you're vulnerable and need to install a patch as soon as it arrives. The Linux distributions CentOS, Debian, Red Hat and Ubuntu had already issued patches as of this morning, although at least some of the patches did not fully fix the problem.

Just the beginning?

As he did for the Heartbleed flaw back in April, Australian computer-security expert Troy Hunt penned an instructive blog posting summing up "everything you need to know" about Shellshock.

"This is potentially the easiest website defacement vector we’ve ever seen, not to mention a very easy way of distributing malware," Hunt wrote.

"The potential [for exploitation] is enormous," he said. "'Getting shell' on a box has always been a major win for an attacker because of the control it offers them over the target environment. ... There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines."

Like Graham, Hunt feared that the full extent of the Shellshock problem had not yet become apparent.

"It's very, very early days yet, only half a day since it first hit the airwaves at the time of writing," Hunt wrote. "I suspect that so far, we're only scratching the surface of what is yet to come."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.