Test your website for BashSmash (CVE-2014-6271) online

A Critical remotely exploitable vulnerability has been discovered in the widely used Linux and Unix command-line shell, known as Bash, aka the GNU Bourne Again Shell, leaving countless websites, servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals.

Earlier today (September 24th 2014), Stephane Chazelas publicly disclosed the technical details of the remote code execution vulnerability in Bash which affects most of the Linux distributions and servers worldwide.

REMOTELY EXPLOITABLE SHELLSHOCK
The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as Bash Bug, and Shellshock by the Security researchers on the Internet discussions.

According to the technical details, a hacker could exploit this bash bug to execute shell commands remotely on a target machine using specifically crafted variables. “In many common configurations, this vulnerability is exploitable over the network,” Stephane said.

Via thehackersnews.com.

How to test your website for BashSmash (CVE-2014-6271)

CCSIR developed an online application where you can test a website to see if it’s vulnerable to BashSmash. Check your website here.

How to DDoS through Facebook Datacenter with almost 1Gbps. They’ve started to care!

The vulnerability, found by Teofil Cojocariu in June 12, Security Researcher @CCSIR.org has a simple concept but it can leave a big impact on websites of small companies or individuals. He made Open Source the script that exploits this vulnerability, leading to a Distributed Denial of Service (DDoS) of ~1Gbps using Facebook datacenter.

Update: Facebook now expires the unique identifier after few refreshes.

facebook ddos ccsir

Facebook encountered a similar situation this year, an issue that was reported by Security Researcher Chaman Thapa (nickname chr13). Unfortunately, at that time, Facebook replied with an unexpected answer:

“In the end, the conclusion is that there’s no real way to us fix this that would stop “attacks” against small consumer grade sites without also significantly degrading the overall functionality.”

At the beginning of June 2014, Facebook introduced a new feature to refresh attachments. Teofil Cojocariu, Security Researcher at Cyber Security Research Center from Romania – CCSIR discovered the issue and reported to Facebook on June 13th. At the end of July Facebook replied back and made some limitations, although small companies will still get affected by the vulnerability.

Teofil was really excited because it seems that Facebook finally changed their attitude regarding the damage they could make by using their datacenter to DDoS victims.

“I’m happy to see that now Facebook tried to make some limitation. A step forward for protecting the internet ecosystem.”, explained Teofil for CCSIR.org.

Steps to reproduce

1. Find the biggest image on a site/server with Google.
2. Publish that link to Facebook with “Only Me” privacy option.
3. Refresh the attachment from right corner of that post while you are sniffing or simple view in browser the requests.
4. Put the needed data from request to POC script.
5. You are now able to give DDoS from Facebook Datacenter (multiple IPs are involved).

“I have tried few times this script and the maximum bandwidth was 934.06 Mbps, but we should take into consideration that I sent the traffic to one of my server that has 1 Gbps port, so I think there is no limitation on output.”, Teofil added.

Simple POC Script

1. http://ccsir.org/files/poc_ddos_fb_june14.py.
2. https://github.com/teofilcojocariu/POC_fb/blob/master/poc.py

Although this situation is solved, please keep in mind that there are so many Cloud services out there free or with small fee rates that could be used to denial critical infrastructure services with a minimum effort.

Timeline

Jun, 2014 – Facebook adds new feature to refresh attachments.
Teofil – Jun 8-12, 2014 6:19pm – Discovered in one of this days.
Teofil – Jun 13, 2014 6:19pm – Reported to Facebook.
Facebook – Jun 13, 2014 6:22pm – Automatic reply from Facebook.
Facebook – Jun 14, 2014 1:00am – A Security Engineer from Facebook said that this is interesting and forward the problem to the responsible team.
Facebook – Jul 28, 2014 8:13pm – Facebook replied telling him to test it again because there was a fix on the server.
Teofil – Jul 31, 2014 10:59pm – Message that the problem seems to be fixed, but the limitation are quite high, so small companies can still have problems.
Facebook – Aug 1, 2014 1:17am –  500$ Bounty 🙂

Related articles

http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/
http://thehackernews.com/2014/04/vulnerability-allows-anyone-to-ddos.html

Pentesting 101 – what you should know?

The big majority of attacks performed over the systems available via Internet are made in the application layer due to the easiness of launching an attack and the lack of app protection. For verifying the security of IT infrastructures an audit is carried out, but this action is insufficient in many situations in determining the ways an attacker can abuse and corrupt services or applications. Pentesting is the most efficient way of verifying the effectiveness of security measures because this will allow real time protection in case of an attack.

penetration-testing ccsir

The pentests should be made as much as possible before launching the application in a productive environment, after the functionality and efficiency has been tested, in order to identify early on the vulnerabilities that could lead to an information leak, blocking the access to the application or total corruption of the systems.

In order to make a pentest successful the next steps should be followed:

  • Planning and preparing
  • Collecting and analysing information
  • Detecting vulnerabilities
  • The actual attack against systems
  • Reporting and analysing vulnerabilities that were found
  • Cleaning applications and systems

Approaching the tested infrastructure can be made in many ways according to the client objective, the only thing that is different between them is the information received from the client. In this way we can make three kinds of tests:

  • Black box: simulate a real attack from outside based only on public information, with low aggressivity for detecting the sensibility and rate of detection by implemented security systems
  • Grey box: the pentester has limited information from the client and the rest also from public source
  • White box: the client offers inside information for the systems and application targeted or offers a copy of them, in a controlled environment, so the tests can be more aggressive and this way you can review each component even if they can be public accessed or not

A penetration test cannot offer you a complete overview over the system or network security, this being the main reason of tests made within a predefined period of time. The undiscovered vulnerabilities during the pentest or those that can appear after updates, the installation of a new software or reconfigurations of the system can lead to new security holes. This is the main reason that periodic pentests and security audits along with monitoring constantly are the most efficient ways to prevent security issues.

The efficiency of signature detection

It has been more than 20 years since the discovery of first efficient method for detecting and eliminating general threats or infections for regular computer users. This method uses signature detection, both in antivirus type software and in IPS systems (two resembling solutions but used in different environments).

The efficiency of signature detection

Old fashion signature protection

The biggest problem of antivirus software developing companies is convenience. Since the early 2000s there has been noticed a disturbing trend – all the companies measured the quality and efficiency of detecting viruses by the number of signatures they owned and apparently is still the same, although this software rather offers a fake feel of protection because you can’t protect a system from a new threat that doesn’t exist in their signature database.
Unfortunately, the number of signatures grows day by day increasing the resource usage (CPU, RAM, etc.) of the software even if they are trying to implement cloud solutions.

It’s interesting how nowadays, an era dominated by advanced technology, “the bad guys” have a big advantage over the security companies using well-known methods (see polymorphism) to bypass this old and outdated detection system. The time of those who created malware software for fame and respect in the underground world has passed and now became one of the most important ways of obtaining private information. This way the attackers may get substantial financial benefits. Some are building careers from malware software development and more, the majority of the attacks aren’t carried by one individual but by organized groups and sometimes by resourceful institutions.

signature detection

How IPS solutions protect your infrastructure, in numbers

Yet, I have bigger reserves in talking about IPS solutions manufacturers. Let’s take, for example, an IPS that gives 4500 signatures for protecting your network; from all of these signatures probably just about 20% are useful because it’s less likely to have this big number of solutions from companies like IBM, Sophos, Cisco, HP, Dell, Oracle, Symantec, AOL, etc. in one place (I read some names from the signature list). Theoretically they have cover most of the known problems and this is the reason why they give us this diversity. Now, from the ~1000 useful signatures, if you have a company with more than 3000 employees with high internet traffic, there are chances that only ~35% of that amount of signatures are usable. The danger of many signatures is marked as “critical” (60%), having an “High-performance impact” on the network and this is why they can’t even be placed in “Logging mode” because they will stop the system activity. The rest of 40% are marked like “Low-Medium performance impact” and they should reach first in “Logging mode”(because the information from the producer is not always 100% accurate) to see exactly the impact made on the network and after that you can put them in “Blocking mode”. So effectively how many of the 4500 signatures are really useful? Little to protect yourself in a real way and considering an investition of this type.

Case study

The future of online security stays in systems based on file behavior analysis, executed and observed in a controlled environment. I can give you an example from one of my personal research: from few thousands(~8000) of detections(only .exe files) for a period of 9 months by a firewall executing a behavior analysis, only ~17.5% were detected by antivirus software! And speaking of statistics, did you knew that 80% of Carberp infected computers ran daily updated antivirus software?

Conclusion

Of course this is a topic of bigger complexity, we can talk much more about it and get into deep branches of this field, but I only wanted to point your attention to this, in my opinion one of the biggest global issues right now.