Monday, 14 November 2016

Shellshock Attack using metasploit

In this project we propose to expose the vulnerabilities of Bash shell in Linux based Operating systems(in our case Ubuntu) by using Shellshock attack. This attack is mainly possible because of the accessibility provided by the Web Servers such as Apache to access environment variables. Thus if the attacker runs a script using one of these environment variables it is possible for the attacker to gain control over the victim’s entire system and perform manipulation as well fabrication attacks on the victim’s personal computer.Thus Shellshock is a dangerous attack which can be implemented easily and therefore there is also a need to protect systems from such attacks.
BACKGROUND ART OF THE WORK/ PRIOR- HISTORY:
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
The Shellshock vulnerabilities affect Bash, a program that various Unix-based systems use to execute command lines and command scripts. It is often installed as the system's default command-line interface. Bash is free software, developed collaboratively and overseen since 1992 on a volunteer basis by Chet Ramey, a professional software architect. Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989, introduced by Bash's original author Brian Fox.
Within an hour of the announcement of the Bash vulnerability, there were reports of machines being compromised by the bug. By 25 September 2014, botnets based on computers compromised with exploits based on the bug were being used by attackers for distributed denial-of-service (DDoS) attacks and vulnerability scanning. On 6 October, it was widely reported that Yahoo! servers had been compromised in an attack related to the Shellshock issue.
DESCRIPTION OF THE PROJECT WORK:
  1. Introduction
Every so often, a major vulnerability appears that makes millions of systems vulnerable to attack. The most recent, named Shellshock, basically leaves every Mac OS X, Linux, and UNIX system on the planet vulnerable. As nearly two-thirds of all web servers on planet Earth run one of these operating systems (primarily Linux), Shellshock is turning out be a serious threats for users.
Shellshock leaves nearly every form of Linux, Unix, and Mac OS X vulnerable to "remote code execution." This mean that the hacker can run their own code remotely and do whatever they want on the system, basically owning it.
There were many methods tried out for preventing Shellshock but except updating the patch there seems no other solution at present to solve this corrigendum. Every time a new patch is released, it almost immediately becomes obsolete as new vulnerabilities are being discovered daily. The first proof of concept involved running a CGI script on the vulnerable system, but that is only scratching the surface of what can be done with this vulnerability.
Many network and security admins believe they are safe after patching up the system. That is far from the truth! This vulnerability is linked to the BASH shell and any system calls it makes. Probably thousands of utilities and applications use BASH for system calls. Furthermore, nearly all the embedded systems, from security systems to automobiles to automated lighting systems use some form of Linux with a BASH shell. All are vulnerable to this attack making Shellshock one of the most dangerous attacks in the history of networking.

  1. Aim & Objective
  • To expose the vulnerabilities of Bash and cgi-bin in Apache Servers using Shellshock Attack.
  • To demonstrate different techniques and tools to test and protect your operating systems from Bash attacks such as ShellShock.
  1. Platform Used:
  • Operating System: Kali Linux, Ubuntu
  • Tools used: Lynis(for vulnerability detection),Metasploit
  1. Working/Techniques in Brief
https://blog.cloudflare.com/content/images/2014/09/illustration-bash-blog.png
The working technique for our project is as follows:
  1. Set up the attacker(kali linux) and victim(Ubuntu) systems for performing the attack.
  2. In order to perform the attack the Ubuntu system must be vulnerable. To check for vulnerability we run the following command in terminal
env X='() { (a)=>\' bash -c "echo echo testing" 2>/dev/null; [[ "$(cat echo 2> /dev/null)" == "testing" ]] && echo "vulnerable" 2> /dev/null
If the result is “vulnerable” then the system is indeed vulnerable to shellshock attack.
A security issue affects these releases of Ubuntu and its derivatives:
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS
  1. Next we set up an apache server on ubuntu system to exploit vulnerabilities in the cgi-scripts of the Apache server.
  2. Once the apache server is ready and running, we download and execute the tool Metasploit to help us exploit the Victim system.
  3. After successfully running the tool, we are able to hack into the victim’s system without even being detected by the victim.
After this we have specified techniques to prevent the attack like updating the patch or using auditing tools.
  1. Screenshots
Checking for Vulnerability:


Webserver hosted on ubuntu

Scanning victim pc from kali linux based attacker


Scanning for vulnerable files














Loading metasploit

Loading exploits

Using the exploit and viewing options

Setting options and loading payload

Additional payload options

Setting the lhost to attacker pc ip

Opening reverse shell session.Now we have control of the bash

Viewing system info of the victim

Viewing all processes on the system

Detection using Lynis tool:
Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems
.
Installing and running Lynis tool

Lynis tool performing checks:




Various attacks performed on Victim’s system
  1. Killing a process


2. Various attacks that can be performed using metasploit

3. To get pid of current process.

4. To show that we are connected and using victim’s system.

Prevention :
To prevent shellshock attack we need to upgrade the bash of the operating system by executing following command:

sudo apt-get update && sudo apt-get install --only-upgrade bash
Then to recheck the system we again check for vulnerability:

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
The output is as follows:

Bash Test
which shows that the bash is updated and no shellshock attack can be carried out.

  1. Results
Using the kali linux as an attacker, we were successful in hacking into the Ubuntu (Victim) system using the Shellshock attack. By using Metasploit and meterpreter tools, we could access, modify as well as delete files residing on the Ubuntu system. Besides that, important data as well as user passwords could be easily found since the attacker can navigate through various files and directories remotely. In the end we demonstrated techniques to prevent and protect the system, the most important of which is updating the Linux system to accommodate the latest patches.By doing so we would like to make more number of people aware of the dangers and perils of having an outdated system, and would encourage everyone especially systems having crucial data to update their systems and thus prevent Bash attacks such as Shellshock from occuring on their machines.

  1. Conclusion
Shellshock exploits the vulnerability which affects any computer running Bash.  For a successful attack to occur, an attacker needs to force an application to send a malicious environment variable to Bash.
The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.
The consequences of an attacker successfully exploiting this vulnerability on a Web server are serious in nature. For example attackers may have the ability to dump password files or download malware onto infected computers. Once inside the victim’s firewall, the attackers could then compromise and infect other computers on the network.
We have  carried out this Shellshock attack using Metasploit and Meterpreter successfully and have also provided solutions to prevent the attack.

References:

  1. Shellshock: A Technical Report, Trend Micro Threat Research Lab
  2. Baden Delamore, Ryan K. L. Ko, “A Global, Empirical Analysis of the Shellshock Vulnerabilities in Web Applications”, IEEE Trustcom/BigDataSE/ISPA , 2015.
  3. https://www.ubuntu.com/usn/USN-2380-1/