• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Bash Bug Saga Continues: Shellshock Exploit Via DHCP

Bash Bug Saga Continues: Shellshock Exploit Via DHCP

  • Posted on:October 8, 2014 at 3:08 pm
  • Posted in:Exploits, Vulnerabilities
  • Author:
    Akash Sharda (Vulnerability Researcher)
0

The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including Metasploit code) available in the public domain, this vulnerability is being heavily exploited.

Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS. In this post, we’ll  tackle Shellshock exploits over the DHCP protocol. These techniques could be used by an attacker to compromise more machines within the network.

Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses.  An attacker can configure a compromised DHCP server or create a rogue DHCP server to send malicious information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors.

bashdhcp_fig1

Figure 1. Traffic flow depicting the malicious response to DHCP client

In addition to standard fields, the DHCP server can provide option fields (identified with a number). In this case, the malicious server sends the commands via option 114, which contains the malicious commands.

bashdhcp_fig2

Figure 2. DHCP Server using Tftpf32. An additional option URL (114) is configured to send the malicious payload.

bashdhcp_fig3

Figure 3. The malicious payload in the URL field

The malicious string when received by the DHCP client running on vulnerable BASH results in arbitrary code execution as shown below. As such this could result in compromising other systems in the network.

bashdhcp_fig4

Figure 4.  Code execution on the DHCP client due to the malicious response

This attack vector against DHCP client running on vulnerable bash is very much discussed in the public domain. However, DCHP also has other fields which are always present in each DHCP OFFER and ACK response. The DHCP server may optionally send its name in the Server Host Name field in the DHCP response. This field can also be used to run malicious code, as seen below.

bashdhcp_fig5

Figure 5.  Malicious payload in the server hostname field

bashdhcp_fig6

Figure 6. Code execution on the DHCP client due to the malicious response

Boot filename is another field present in the DHCP OFFER and ACK responses. Clients may optionally request a boot file and the server specifies the boot file directory path and file name in its response.  When an attacker configures malicious string here, it can result in code execution as seen below.

bashdhcp_fig7

Figure 7.  Malicious payload in the Boot file name field

bashdhcp_fig8

Figure 8. Code execution on the DHCP client due to the malicious response

Various techniques can be used to to exploit Shellshock over DHCP, as we showed here. For exploitation using this attack vector, however, the attacker should already have a foothold in the network using other exploitation techniques.

Since the emergence of Shellshock vulnerability, Trend Micro Deep Security has been swift in protecting users from attacks that may arise of the said vulnerability. Trend Micro Deep Security has protected customers from Shellshock vulnerability over DHCP protocol as early as during its initial discovery via the following rule:

  • 1006258 – GNU Bash Remote Code Execution Vulnerability Over DHCP

For more information on Bash bug vulnerability or Shellshock exploit, you can read all previous entries here:

  • Summary of Shellshock-Related Stories and Materials
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Bash vulnerabilityDHCPLinuxshellshockvulnerability

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.