-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Advisory DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.) CVE-2014-3671 references: CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278 CVE-2014-7186 and, CVE-2014-7187 * Summary: Above CVEs detail a number of flaws in bash prior related to the parsing of environment variables (aka BashBug, Shellshock). Several networked vectors for triggering this bug have been discovered; such as through dhcp options and CGI environment variables in webservers [1]. This document is to advise you of an additional vector; through a reverse lookup in DNS; and where the results of this lookup are passed, unsanitized, to an environment variable (e.g. as part of a batch process). This vector is subtly different from a normal attack vector, as the attacker can 'sit back' and let a (legitimate) user trigger the issue; hence keeping the footprint for a IDS or WAAS to act on small. * Resolvers/systems affected: At this point of time the stock resolvers (in combination with the libc library) of OSX 10.9 (all versions) and 10.10/R2 are the only known standard installations that pass the bash exploit string back and up to getnameinfo(). That means that UNpatched systems are vulnerable through this vector PRIOR to the bash update documented in http://support.apple.com/kb/DL1769. Most other OS-es (e.g. RHEL6, Centos, FreeBSD 7 and up, seem unaffected in their stock install as libc/libresolver and DNS use different escaping mechanisms (octal v.s. decimal). We're currently following investing a number of async DNS resolvers that are commonly used in DB cache/speed optimising products and application level/embedded firewall systems. Versions affected: See above CVEs as your primary source. * Resolution and Mitigation: In addition to the mitigations listed in above CVEs - IDSes and similar systems may be configured to parse DNS traffic in order to spot the offending strings. Also note that Apple DL1769 addresses the Bash issue; NOT the vector through the resolver. * Reproducing the flaw: A simple zone file; such as: $TTL 10; $ORIGIN in-addr.arpa. @ IN SOA ns.boem.wleiden.net dirkx.webweaving.org ( 666 ; serial 360 180 3600 1800 ; very short lifespan. ) IN NS 127.0.0.1 * PTR "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS" can be used to create an environment in which to test the issue with existing code or with the following trivial example: #include #include #include #include #include #include #include #include int main(int argc, char ** argv) { struct in_addr addr; struct sockaddr_in sa; char host[1024]; assert(argc==2); assert(inet_aton(argv[1],&addr) == 1); sa.sin_family = AF_INET; sa.sin_addr = addr; assert(0==getnameinfo((struct sockaddr *)&sa, sizeof sa, host, sizeof host, NULL, 0, NI_NAMEREQD)); printf("Lookup result: %s\n\n", host); assert(setenv("REMOTE_HOST",host,1) == 0); execl("/bin/bash",NULL); } Credits and timeline The flaw was found and reported by Stephane Chazelas (see CVE-2014-6271 for details). Dirk-Willem van Gulik (dirkx(at)webweaving.org) found the DNS reverse lookup vector. 09-04-2011 first reported. 2011, 2014 issue verified on various embedded/firewall/waas systems and reported to vendors. ??-09-2014 Apple specific exploited seen. 11-10-2014 Apple confirms that with DL1769 in place that "The issue that remains, while it raises interesting questions, is not a security issue in and of itself." * Common Vulnerability Scoring (Version 2) and vector: See CVE-2014-6271. 1:https://github.com/mubix/shellshocker-pocs/blob/master/README.md) 1.10 / : 1726 $ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: This message is encrypted and/or signed with PGP (gnu-pg, gpg). Contact dirkx@webweaving.org if you cannot read it. iQCVAwUBVDujjDGmPZbsFAuBAQKGqwP+OOzdL8PDZF7Ckpk1UCxZZoWYvvGUHBqs dE8ioLaQsRDKJ+V2EbBGHmSucYLPqBVfRYaYar21KCl6DAcxzQmxhymxxpRjBPsP uauqW7dYZQASDkKG9Rn0KA4dXNo9GjrJMrTcwkfkoNb5EtVtiMDX8VXoZ4SqLJS0 v5s8ZtQiIw4= =I6vK -----END PGP SIGNATURE-----