Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE-2014-6271 AKA “Shellshock” CVE-2014-3704 AKA “Drupalgeddon”

Published byGabriella Taylor Modified over 8 years ago

Similar presentations

Presentation on theme: "A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE-2014-6271 AKA “Shellshock” CVE-2014-3704 AKA “Drupalgeddon”"— Presentation transcript:

1 A Tale of Two Bugs

2 This Fall has been bad Let’s look at two CVE-2014-6271 AKA “Shellshock” CVE-2014-3704 AKA “Drupalgeddon”

3 shellshock “Remotely exploitable bug in bash” Run away, everything I knew is wrong Just saying this blew peoples minds

4 What is bash? A shell? A language? A command interpreter? When bash is operating as a command interpreter, what does it do? What could a vulnerability be?

5 bash invocation bash will scan the environment If it finds functions in the environment variables, it will try and parse the function What if there is trailing code after the function definition? env x=‘() { :;}; echo vuln’

6 Impact Attackers can run arbitrary bash programs These programs run with permissions of the invoker This is a big problem Site defacement Download and exec privilege escalation Start a shell

7 Mass scans Rob Graham ran mass scans on the Internet Commanded remote systems to ping him Was this ethical? Legal? Discovered “thousands” of vulnerable systems Declared probability for worm “high”

8 Web servers If a web server uses CGI, and the request handler is a bash script OR a CGI script that invokes bash / a shell using system The attacker can set an environment variable HTTP_USER_AGENT Then bash will execute code found in that environment variable

9 SSH server User has a “restricted shell” Command to be executed by an ssh command invocation stored in an environment variable SSH_ORIGINAL_COMMAND If this environment variable is attacker controlled (it is, post-auth) then bash will scan it for functions and execute commands

10 DHCP server DHCP options from clients get stored in environment variables bash is invoked by the DHCP server during registration Join a network with DHCP, set the right options in your DHCP client config, get a shell on the DHCP server

11 drupalgeddon “SQL injection in a CMS” oh we’ve heard this before

12 What is SQL injection? At the heart, program injection Concatenate a program (SQL query) with data If the concatenation creates a different program, there is a problem

13 What can you do with SQL injection? Depends on the application but usually everything Totally compromise an application Inject new content into web pages Add users / roles / etc

14 What is Drupal? A content management system (CMS) used on a large amount of the Internet Blogs, knowledge management systems, everything

15 What does the exploit look like? POST /?q=node&destination=node HTTP/1.1" 403 4123 "sucuri.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR 1.1.4322)" Payload: name [0%20and%20extractvalue(1, concat(0x5c, (select md5(1122) from information_schema.tables limit 1)));%23%20%20]=removed&name[0]=removed&pass=removed& removed=removed&form_build_id=&form_id=user_login_block&op=Log+in

16 What were the outcomes? Shellshock will probably keep pentesters employed for years The Drupal vulnerability compromised 12 million websites We heard about one a lot more than the other

17 What can we learn? Don’t listen to hype Consider data Data about attack surface Data about installation base What is the exposure? What is the risk?

Download ppt "A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE-2014-6271 AKA “Shellshock” CVE-2014-3704 AKA “Drupalgeddon”"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Company LOGO WEB SYSTEM. Components of a Generic Web Application System.

Company LOGO WEB SYSTEM. Components of a Generic Web Application System.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
CGIWrap CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server.

CGIWrap CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
INFM 603: Information Technology and Organizational Context Jimmy Lin The iSchool University of Maryland Thursday, October 18, 2012 Session 7: PHP.

INFM 603: Information Technology and Organizational Context Jimmy Lin The iSchool University of Maryland Thursday, October 18, 2012 Session 7: PHP.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Similar presentations

Ads by Google