Offensive Security

Security Intelligence
Security Research
Offensive Security
Security Reports

Summary

Errata Security is a team of dedicated security researchers that practice offensive security. The insight gained from research is delivered to clients through Hacker Eye View reports that cover a variety of topics and real world scenarios.

Product description

Know...For Sure

Errata Security is a team of dedicated security researchers that practice offensive security. The insight gained from research is delivered to clients through Hacker Eye View reports that cover a variety of topics and real world scenarios.

Wednesday, September 24, 2014

Bash 'shellshock' bug is wormable

By Robert Graham

Early results from my scan: there's about 3000 systems vulnerable just on port 80, just on the root "/" URL, without Host field. That doesn't sound like a lot, but that's not where the bug lives. Update: oops, my scan broke early in the process and stopped capturing the responses -- it's probably a lot more responses that than. Firstly, only about 1 in 50 webservers respond correctly without the proper Host field. Scanning with the correct domain names would lead to a lot more results -- about 50 times more. Secondly, it's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi). Getting just the root page is the thing least likely to be vulnerable. Spidering the site, and testing well-known CGI scripts (like the CPanel one) would give a lot more results, at least 10x. Thirdly, it's embedded webserves on odd ports that are the real danger. Scanning for more ports would give a couple times more results. Fourthly, it's not just web, but other services that are vulnerable, such as the DHCP service reported in the initial advisory. Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable -- once the worm gets behind a firewall and runs a hostile DHCP server, that would "game over" for large networks.


Update: As many people point out, the path variable isn't set, so I need '/usr/ping' instead to get even more results. Update: Someone is using masscan to deliver malware. They'll likely have compromised most of the system I've found by tomorrow morning. If they using different URLs and fix the Host field, they'll get tons more.

Product links

Help the seller understand how this product meets your needs
Contact name
Support
E-mail
support@erratasec.com
Phone
1 (404)-475-5597
Location
Atlanta, GA, USA
Company
Errata Security
Published