Shellshock and Cygwin

Cygwin is a *nix like Command Line Interface (CLI) for Windows Operating Systems.

Cygwin by default ships with 4.1.x version at the time of my testing which has shellshock (CVE-2014-6271) vulnerability, use "bash --version" to check current  version of bash shell.

To check the Vulnerability execute below PoC
$ env x='() { :;}; echo vulnerable' bash -c 'echo Exploited!!'

Dissecting the PoC
env      command used to print environment variables or modify the environment where program executes
x          environment variable/ function name
{ :;};    function definition
echo vulnerable' bash -c 'echo Exploited!!' is the malicious data after function definition.

Issue
Due to the vulnerability shell is interpreting the arbitrary commands after the termination of the function definition and executing entire text of environment variables value.

Same PoC command can be used on different Linux distributions for testing the presence of shellshock vulnerability.

Many Linux distributions already released patch for CVE-2014-6271, has lead to new vulnerability, CVE-2014-7169 which is less severe compared to shellshock.

Most Helpful and Frequently used Linux Commands

getconf LONG_BIT

ctags

CPU information and Memory Information
cat /proc/cpuinfo
cat /proc/meminfo

Open ports and associated processes/services
netstat -anp (on Windows netstat -anb)
lsof command can also be used to do same work

Search for files only which contains log string in file from root directory recursively
find / -name log -type f  *
Search for directories only which contains log string in directory from current directory recursively  and move the found directory to /tmp directory
find . -name log -type d  * | xargs cp /tmp/

perl command to generate buffer

Name of the Operating System
lsb_release -a

Knowing 32-bit or 64bit Operating System
getconf LONG_BIT

Linux Kernel details
uname -a



ps -aef
ngrep
lsof

Testing Maximum UDP Sessions Limit using netcat

As we know that User Datagram Protocol is connectionless it would be slightly challenging to test UDP Session Limit. In this blogpost we are going to see how to test UDP sessions using netcat (nc) tool.

Assuming we have configured our Firewall (FW) or Intrusion Prevention Systems (IPS) with a maximum of 4 UDP Sessions. If we try to establish a new connection greater than 4 it should not be allowed. As we don't have connection establishment phase (3-way Handshake) in UDP, connection is identified at the time of data transfer and dropped.

Running nc command to listen on UDP ports in the background.

Once UDP Server is up and running, we will connect to different ports on Server from Client machine.

Snapshot showing active sessions (ESTABLISHED state) on server.

 Snapshot showing sessions on Client side.

If we go for a 5th connection it will successfully establish s Session but if we try to transfer data ot UDP Sessions Limit rule kicks in and the connection will be blocked

If we successfully transfer data on 5th Session, it means “UDP Maximum Connections” set on FW/IPS is not working properly.

Connection blocking is reported back to Client using ICMP UDP Port unreachable error message. In the case of TCP Client gets a packet from Server with RESET flag set.

Following posts might be of interest to you
http://darshanams.blogspot.in/2012/08/web-server-security-php-hardening.html
http://darshanams.blogspot.in/2012/07/portservice-scanning-using-snmp.html
http://darshanams.blogspot.in/2012/06/sip-security1-scanning-voippbx-servers.html

Thank You!!!