Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shellshock a.k.a. Bashdoor / Bash bug

Published byNeil O’Neal’ Modified over 6 years ago

Similar presentations

Presentation on theme: "Shellshock a.k.a. Bashdoor / Bash bug"— Presentation transcript:

1 Shellshock a.k.a. Bashdoor / Bash bug
Bruce Maggs

2 Bash Shell Released June 7, 1989.
Unix shell providing built-in commands such as cd, pwd, echo, exec Platform for executing programs Can be scripted

3 Environment Variables
Environment variables can be set in the Bash shell, and are passed on to programs executed from Bash export VARNAME=“value” (use printenv to list environment variables)

4 Environment variable settings in cygwin bash shell listed using printenv

5 Stored Bash Shell Script
An executable text file that begins with #!program Tells bash to pass the rest of the file to program to be executed. Example (pass a list of commands to bash): #!/bin/bash export STR="Hello World!" echo $STR

6 Hello World! Example

7 Dynamic Web Content Generation
Web Server receives an HTTP request from a user. Server runs a program to generate a response to the request. Program output is sent to the browser.

8 Common Gateway Interface (CGI)
Oldest method of generating dynamic Web content (circa 1993, NCSA) Operator of a Web server designates a directory to hold scripts (typically PERL) that can be run on HTTP GET, PUT, or POST requests to generate output to be sent to browser.

9 CGI Input PATH_INFO environment variable holds any path that appears in the HTTP request after the script name QUERY_STRING holds key=value pairs that appear after ? (question mark) Most HTTP headers passed as environment variables In case of PUT or POST, user-submitted data provided to script via standard input

10 CGI Output Anything the script writes to standard output (e.g., HTML content) is sent to the browser.

11 Example Script (Wikipedia)
Bash script that evokes PERL to print out environment variables #!/usr/bin/perl print "Content-type: text/plain\r\n\r\n"; for my $var ( sort keys %ENV ) { printf "%s = \"%s\"\r\n", $var, $ENV{$var}; } Put in file /usr/local/apache/htdocs/cgi-bin/printenv.pl Accessed via

12 Windows Web server running cygwin
printenv.pl/foo/bar?var1=value1&var2=with%20percent%20encoding DOCUMENT_ROOT="C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs" GATEWAY_INTERFACE="CGI/1.1“ HOME="/home/SYSTEM" HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"HTTP_ACCEPT_CHARSET="ISO ,utf-8;q=0.7,*;q=0.7" HTTP_ACCEPT_ENCODING="gzip, deflate" HTTP_ACCEPT_LANGUAGE="en-us,en;q=0.5" HTTP_CONNECTION="keep-alive" HTTP_HOST="example.com" HTTP_USER_AGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/ Firefox/5.0" PATH="/home/SYSTEM/bin:/bin:/cygdrive/c/progra~2/php:/cygdrive/c/windows/system32:... “ PATH_INFO="/foo/bar" QUERY_STRING="var1=value1&var2=with%20percent%20encoding"

13 Shellshock Vulnerability
Disclosed September 24, Function (i.e., command script) definitions can be passed to Bash as environment variables whose values begin with () Environment variables are scanned for function definitions when a new bash shell is started, and a command is executed to install each new function. Error in environment variable parser causes “garbage” characters after function definition to be executed during installation. Vulnerability has been present since version 1.03 of Bash, which was released in September 1989.

14 Cygwin Bash Shell Shows Vulnerability
Exact syntax matters!

15 Alternatively

16 Another Alternative

17 Crux of the Problem Any environment variable value can contain a function definition with extraneous trailing characters that the Bash parser will execute before it runs a program. Environment variables can be inherited from other parties, who can thus inject code that Bash will execute.

18 Web Server Exploit Send Web Server an HTTP request for a script with an HTTP header such as HTTP_USER_AGENT set to '() { :;}; rm *.*' Before the Bash shell runs the script it will evaluate the environment variable HTTP_USER_AGENT and run the echo command

19 Purported WopBot Attack on Akamai
There have been news reports indicating that Akamai was a target of a recent ShellShock-related BotNet attack. (See information about WopBot). Akamai did observe DDOS commands being sent to a IRC-controlled botnet to attack us, although the scale of the attack was insufficient to trigger an incident or need for remediation. Akamai was not compromised, nor were its customers inconvenienced.  We receive numerous attacks on a daily basis with little or no impact to our customers or the services we offer.

Download ppt "Shellshock a.k.a. Bashdoor / Bash bug"

Similar presentations

Other Web Application Development Technologies. PHP.

Other Web Application Development Technologies. PHP.
CS 22: Enhanced Web Site Design - Week 8Slide 1 of 15 Enhanced Web Site Design Stanford University Continuing Studies CS 22 Mark Branom

CS 22: Enhanced Web Site Design - Week 8Slide 1 of 15 Enhanced Web Site Design Stanford University Continuing Studies CS 22 Mark Branom
CGI & HTML forms -05-. CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.

CGI & HTML forms CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.
Adding Dynamic Content to your Web Site

Adding Dynamic Content to your Web Site
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
HTML Form Processing Learning Web Design – Chapter 9, pp 143-163 Squirrel Book – Chapter 11, pp 251-266.

HTML Form Processing Learning Web Design – Chapter 9, pp Squirrel Book – Chapter 11, pp
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Outcomes Know what are CGI Environment Variables Know how to use environment variables How to process A simple Query Form Able to use URL Encoding rules.

Outcomes Know what are CGI Environment Variables Know how to use environment variables How to process A simple Query Form Able to use URL Encoding rules.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
8/17/2015CS346 PHP1 Module 1 Introduction to PHP.

8/17/2015CS346 PHP1 Module 1 Introduction to PHP.
1 ‘Dynamic’ Web Pages So far, we have developed ‘static’ web-pages, e.g., cv.html, repair.html and order.html. There is often a requirement to produce.

1 ‘Dynamic’ Web Pages So far, we have developed ‘static’ web-pages, e.g., cv.html, repair.html and order.html. There is often a requirement to produce.
Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.

Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.
1 Homework / Exam Exam 3 –Solutions Posted –Questions? HW8 due next class Final Exam –See posted schedule Websites on UNIX systems Course Evaluations.

1 Homework / Exam Exam 3 –Solutions Posted –Questions? HW8 due next class Final Exam –See posted schedule Websites on UNIX systems Course Evaluations.
Overview A plain HTML document is static A CGI program is executed in real-time, so that it can output dynamic information. CGI (Common Gateway Interface)

Overview A plain HTML document is static A CGI program is executed in real-time, so that it can output dynamic information. CGI (Common Gateway Interface)
CP3024 Lecture 3 Server Side Facilities. Lecture contents  Server side includes  Common gateway interface (CGI)  PHP Hypertext Preprocessor (PHP) pages.

CP3024 Lecture 3 Server Side Facilities. Lecture contents  Server side includes  Common gateway interface (CGI)  PHP Hypertext Preprocessor (PHP) pages.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Chapter 33 CGI Technology for Dynamic Web Documents There are two alternative forms of retrieving web documents. Instead of retrieving static HTML documents,

Chapter 33 CGI Technology for Dynamic Web Documents There are two alternative forms of retrieving web documents. Instead of retrieving static HTML documents,

Similar presentations

Ads by Google