Two and a half years after being discovered, the Shellshock vulnerability continues to be abused in attacks, and for a good reason: it is a very cheap and easy attack, IBM says.
Discovered in September 2014, Shellshock is a vulnerability found within the bourne-again shell (BASH), the default command shell in almost each and every Linux and Unix system at the time. An attacker able to abuse the security flaw could execute commands with super-user privileges remotely.
Tracked as CVE-2014-6271, the issue was found to affect a great deal of devices, including Web servers and Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems. Mac OS X systems were also impacted.
With many applications relying on BASH, an attacker could exploit the vulnerability by sending a command sequence to the web server to be interpreted with the BASH. Attacks abusing the security issue were reported immediately after the vulnerability became public knowledge.
In July 2015, researchers warned that Shellshock was still being abused, and the attacks continue nearly two years later. Many vulnerable devices haven’t been patched to this day, and attackers are enticed to continue hitting those targets.
“Attackers need only a server, basic programming skills and access to malware to carry out this type of attack. The level of knowledge and effort required is quite low. Fraudsters can simply launch attacks against hundreds of different IP addresses per minute and wait to hit a vulnerable server by chance,” IBM’s Joerg Stephan explains.
To carry out a Shellshock attack, an attacker only needs to spend around $5 a month, Stephan says. For just over $30, an attacker could target around 1 million servers within a six-month period, which could translate into 100,000 victims, as roughly 10% of all servers remain unpatched, IBM says.
To set up the attack, an actor would need a webserver to host the malicious code, which can be an Apache or lighthttp server. To show just how simple it would be to come up with the necessary code, IBM’s researcher published some basic Python code that can do the trick.
A bash script would download a bot from the server, save it to a certain path, make the file executable and run it, and could also include a line to execute the bot after each reboot, for persistence. Next, an attacker would need to get the target to execute the BASH script and execute it, to exploit Shellshock.
“With some more scripting effort, you could easily execute the curl statement against a full network range, or even the whole internet, but it will take a while,” the researcher says. In the end, however, the verdict stands: setting up a server to run Shellshock attacks for months is so cheap that the vulnerability continues to be of interest.