MS15-011 & MS15-014

A whole host of vulnerabilities have been patched in the latest Microsoft Patch Tuesday release which has a number of critical vulnerabilities that you really need to pay attention to, they are MS15-011 and MS15-014 as these two patches require you to make additional changes after you have implemented them on your systems and they affect Group Policy.

This is another vulnerability that has been out there for over a decade, 15-years to be correct. It affects all PC’s running all supported versions of Windows. It will however remain unpatched in Windows Server 2003 which support will be ending for soon, Microsoft however decided not to patch it even though it should have an extra five months of support. The attack is theoretical but you should patch and reboot as soon as you can even if you are not affected by these vulnerabilities.

MS15-011 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by improving how domain-configured systems connect to domain controllers prior to Group Policy accepting configuration data. For more information about the vulnerability, see the Vulnerability Information section.

To be protected from the vulnerability described in this bulletin, additional configuration by a system administrator is required in addition to deploying this security update. For more information about this update, see Microsoft Knowledge Base Article 3000483.


MS15-014 – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker, by way of a man-in-the-middle attack, causes the Group Policy Security Configuration Engine policy file on a targeted system to become corrupted or otherwise unreadable. This results in the Group Policy settings on the system to revert to their default, and potentially less secure, state.

This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting how Group Policy settings are applied when the Security Configuration Engine policy file is corrupted or otherwise unreadable. For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3004361.

So what does this mean to me if I don’t patch it?

Well you will then be an easy target as outlined in the diagram below:

MS15-011 & MS15-014 - Attack Diagram

MS15-011 & MS15-014 – Attack Diagram

In the above attack scenario, an attacker is trying to make changes to a shared network switch in a public place (eg free Wi-Fi) and can direct the client traffic to an attacker-controlled system via a MITM attack.

  1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\\Share\Login.bat .
  2. On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
    1. The attacker then crafts a malicious payload into Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.
  3. The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server is now routed through to the attacker’s machine.
  4. When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.
  5. This scenario also illustrates that this attack cannot be used broadly across the internet – an attacker need to target a specific system or group of systems that request files with this unique UNC.

Ok I patched my systems now what?

Visit the microsoft support article and enable UNC hardening in Group Policy your will be still exploitable after the updates have been installed.




Ransomware, it’s nothing new but it is making a big comeback over the last few years and I have seen it gradually rise and encrypt peoples laptops, servers and heard of entire networks held to ransom. Due to the current rise I decided to write about it.

When was the first known encrypting ransomware discovered?

1989, the year of the “AIDS” trojan, aka. “Aids Info Disk” or “PC Cyborg Trojan” which replaced the AUTOEXEC.BAT file and it would then count the number of times the machine had booted, once it reached 90 days it would then hide directories and encrypt the names of all the files on the C: drive and rendered the system to be unusable. It would then display a message to the user asking them to “renew the license” and contact PC Cyborg Corporation for payment, this involved sending $189 to a post office box in Panama! Like today’s ransomware more than one type of variant exists and different one’s will do slightly different things, except one thing and that is to try and extort money from you. AIDS actually had an end user license agreement and would display it to the user, an excerpt can be seen below.

If you install [this] on a microcomputer…

then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs…

In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use…

These program mechanisms will adversely affect other program applications…

You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life…

and your [PC] will stop functioning normally…

You are strictly prohibited from sharing [this product] with others…

A few years later the AIDS Trojan was analyzed even further. A fatal weakness was discovered in the malware by Young and Yung and pointed out to show that that the AIDS Trojan relied on symmetric cryptography. They then showed how to use public key cryptography in order to implement a secure extortion attack. They published and expanded on this in a 1996 IEEE Security and Privacy paper [YY96]. A cryptovirus, cryptotrojan or cryptoworm hybrid encrypts the victim’s files using the public key of the author and the victim must pay to obtain the needed session key. This is one of many attacks, both overt and covert in the field known as Cryptovirology.

What is Cryptovirology?

It is a field that studies how to use cryptography to design powerful malicious software (malware). Think of Regin, Stuxnet, Dark Hotel APT which have come from nation states, have been stealthy and intended to steal information or spy on users for an extended period of time without them knowing about it, they may also be used to cause harm and often sabotage.

The first attack that was identified was called “Cryptoviral extortion”. This involves a virus, worm or trojan hybrid encrypting the victim’s files and then they must pay the malware author to receive the needed session key which providing they have no backups will be the only option available to recover their data from the grasps of the lock on anything that it has touched.

What do I do if I am infected?

  1. Turn off your machine, disconnect it from the network and restore from a backup. If you are seeing a pop up asking for payment then the chance of your files being already encrypted already is very high as you usually will not see this until it has finished the encryption process.
  2. Alert your IT/Security department of what has happened as they will need to assess the damage and see if there has been any sort of spread within the company network eg network shares.
  3. You may be able to decrypt some files if hit by CrypoLocker for example with an online decryption tool like this one by FireEye and FoxIT in which the key’s were obtained during Operation Tovar when a huge amount of Law enforcement and business joined forces in order to take down the Gameover Zeus botnet which was believed by the investigators to have been used in bank fraud and the distribution of CryptoLocker. Now at this point I will say don’t hold your breath as this is only for CryptoLocker and there are many, many variants out there!

How do I protect myself or users?

  1. Back up all your important data or anything that you do not want to lose and make sure it is not left connected to your machine if you choose to backup locally. Try to use some form of online backup service also if it is really important as there is more of a chance of restoring your data if you can restore previous versions of your files.
  2. Make sure you have an up to date Anti-Virus and also maybe some other third party tools like Malwarebytes, Spybot etc and use a nice layered approach, IDS and also some form of packet analysis can help with the cleanup if you need to trawl through the network and see how far the infection has spread.
  3. Use a standard user with UAC enabled to the maximum and have a separate administrator account with a different password.
  4. Make sure all your software is up to date, you can use Personal Software Inspector from Secunia for this as this provides an effective automated patch management solution.
  5. Be vigilant when clicking on emails and avoid clicking on or opening attachments from people you don’t know or companies you have not previously done business with.
  6. Don’t use internet explorer, use firefox or chrome and use a plugin like no-script to make judgements yourself on what to and what not to allow access to run in your browser. I have been using this for years and it is very effective and quite possibly the best protection for blocking malicious payloads from being delivered to your system from within the browser.
  7. Drive-by downloads are a common form of infection and as per step 5 above use no-script to protect against something like this, just don’t allow scripts to run globally and you should be ok.
  8. Show hidden file-extensions within your browser, for example if you receive an e-mail that says “super_secret.PDF.EXE” it should raise concerns, this however requires vigilance and with some proper “Spear Phising“ you may not notice this and click it regardless, at this point just turn of your machine and disconnect it from the network.
  9. Disable files from running in AppData or LocalAppData folders and this can be done one of two ways, manual and the automated tool which has instructions here on usage.
  10. Disable RDP XP, 7, 8 & 8.1.

There is quite possibly more you could do to protect yourself also but informing the user and providing some form of user awareness training about the dangers of emails and testing your users internally which yes I know sounds a bit cruel but it is a very good way to make them learn.

Users are your weakest link, you can have the best endpoint protection in place but without a signature for the latest variant of ransomware, virus, malware etc you then find yourself infected again. It is your responsibility to inform your users and if you don’t then don’t blame them, they don’t know any better, just because you know doesn’t mean everyone does so spread awareness and watch the infections fall.

Before I let you go though I would like to make you aware of the latest attack vector’s coming your way and that is RansomWeb which has been given the name due to similarities with ransomware like the extortion of money for example after encrypting your database, think Personally Identifiable Information (PII), credit cards etc.

File integrity monitoring is the trick to detecting RansomWeb but this is not always the case with a web application provider so it may be some time before this becomes a reality and when this get’s out of control providers will be reactive rather than proactive to the latest threat.

It’s also hard to gauge how successful RansomWeb will be, but if RansomWare is anything to go by, threat agents will find a way to make it a lucrative business and start reeling in the money.

Finally the way I see this moving in your internal network is as follows:

  1. System is infected.
  2. Encrypted.
  3. Held to Ransom with a timer.
  4. Timer runs out, you haven’t paid the ransom so you get a system wipe. (Destructive Malware, Wiper) You have already lost your data once encrypted but this just puts the final nail in the coffin.

Why do I think this? Well just look at the Sony hack before Christmas when exactly that happened to them. According to the FBI this was North Korea who did this but the smell of inside job is so strong with this I am not even going to get into it here as it is another article in itself.

What we learned though is 100TB’s + was exfiltrated from their network, the ransom was asked, denied and then their systems were wiped and staff were forced to use pen and paper to carry out their work. Would you be able to sustain such a hit to your business?

I also feel this is just another way to invoke more stringent regulations on the internet, we will see how true this is but when “North Korea” is apparently hacking your country and “Cyber Terrorism” and “Cyber War” are been thrown around you have to STOP, LISTEN, LOOK and then make your own educated judgement, don’t believe all the hype as the media likes to bite on certain things and make them sound far worse than they actually are.




An update on GHOST

Picked up from the Openwall advisory and nicely formulated into coherent and easy to understand paragraphs by Robert Graham over at erratasec it appears that it is not as vulnerable as it seems.

Most things aren’t vulnerable. Modern software uses getaddrinfo() instead. Software that uses gethostbyname() often does so in a way that can’t be exploited, such as checking inet_addr() first. Therefore, even though software uses the vulnerable function doesn’t mean it’s actually vulnerable.


Most vulnerable things aren’t exploitable. This bug is hard to exploit, only overwriting a few bytes. Most of the time, hackers will only be able to crash a program, not gain code execution.


Many exploits are local-only. It needs a domain-name of a thousand zeroes. The advisory identified many SUID programs (which give root when exploited) that accept such names on the command-line. However, it’s really hard to generate such names remotely, especially for servers.


Is this another Heartbleed? Maybe, but even Heartbleed wasn’t a Heartbleed. This class of bugs (Heartbleed, Shellshock, Ghost) are hard to exploit. The reason we care is because they are pervasive, in old software often going back for more than a decade, in components used by other software, and impossible to stamp out completely. With that said, hackers are far more likely to be able to exploit Shellshock and Heartbleed than Ghost. This can change quickly, though, if hackers release exploits.


Should I panic? No. This is a chronic bug that’ll annoy you over the next several years, but not something terribly exploitable that you need to rush to fix right now.


Beware dynamic and statically linked libraries. Most software dynamically links glibc, which means you update it once, and it fixes all software (after a reboot). However, some software links statically, using it’s own private copy of glibc instead of the system copy. This software needs to be updated individually.


There’s no easy way to scan for it. You could scan for bugs like Heartbleed quickly, because they were remote facing. Since this bug isn’t, it’d be hard to scan for. Right now, about the only practical thing to scan for would be Exim on port 25. Robust vulnerability scanners will often miss vulnerable systems, either because they can’t log on locally, or because while they can check for dynamic glibc libraries, they can’t find static ones. This makes this bug hard to eradicate — but luckily it’s not terribly exploitable (as mentioned above).


You probably have to reboot. This post is a great discussion about the real-world difficulties of patching. The message is that restarting services may not be enough — you may need to reboot.


You can run a quick script to check for vulnerability. In the advisory, and described here, there is a quick program you can run to check if the dynamic glibc library is vulnerable. It’s probably something good to add to a regression suite. Over time, you’ll be re-deploying old VM images, for example, that will still be vulnerable. Therefore, you’ll need to keep re-checking for this bug over and over again.


It’s a Vulnerability-of-Things. A year after Heartbleed, over 200,000 web servers are still vulnerable to it. That’s because they aren’t traditional web-servers, but web interfaces built into devices and appliances — “things”. In the Internet-of-Things (IoT), things tend not to be patched, and will remain vulnerable for years.


This bug doesn’t bypass ASLR or NX. Qualys was able to exploit this bug in Exim, despite ASLR and NX. This is a property of Exim, not GHOST. Somewhere in Exim is the ability to run an arbitrary command-line string. That’s the code being executed, not native x86 code that you’d expect from the typical buffer-overflow, so NX bit doesn’t apply. This vuln reaches the strings Exim produces in response, so the hacker can find where the “run” command is, thus defeating ASLR.


I ain’t afraid of no GHOST (CVE-2015-0235)



The first big vulnerability of this year is out and what is it’s name? GHOST! Discovered by Qualys it is exploiting a serious weakness in the glibc library which then allows a Threat agent to compromise a system and gain full remote access to the target without any prior knowledge of system credentials.

Qualys have worked closely with Linux distribution vendors and have released the advisory in the link above yesterday. Patches are available for all distributions as of yesterday the 27th of January.

This vulnerability actually goes back as far as glibc-2.2 which was released on November 10, 2000. Yet another OLD vulnerability which is 15 years old. Once the automated scripts start to scan you better make sure that you are patched. It is only a matter of time really.

So what is GHOST?

It’s a ‘buffer overflow’ bug which affects the gethostbyname() and gethostbyname2() function calls in the glibc library. This then allows the Threat agent to make an application call to either of these functions and execute arbitrary code with the permissions of the user running the application.

Why is it called GHOST?

Nobody is going to call it CVE-2015-0235 are they? Well I might, but most people outside of our world may not understand so by giving it a sexy name and nice logo a new media friendly vulnerability is born. Oh and the vulnerability can be triggered by the GetHOST functions, drop the “et” and that leaves.. yep, GHOST!

How does it work?

Simply put, in order to exploit this the gethostbyname() function calls which are used for resolving DNS have a buffer overflow triggered by supplying an invalid hostname argument to an application that performs a DNS resolution.

What now?

Remediate and make sure all your systems are up to date in order to mitigate this Threat to your network.

We shouldn’t be using gethostbyname() anyway!

gethostbyname() is a Sockets API function from the early 1980’s and getaddrinfo() should be used instead as put by Robert Graham in the link above.

Testing if your RHEL system is vulnerable or not can be checked with the following script:

# –  GHOST vulnerability tester. Only for CentOS/RHEL based servers.  #
# Credit : Red Hat, Inc – #
vercomp () {
   if [[ $1 == $2 ]]
       return 0
   local IFS=.
   local i ver1=($1) ver2=($2)
   # fill empty fields in ver1 with zeros
   for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
   for ((i=0; i<${#ver1[@]}; i++))
       if [[ -z ${ver2[i]} ]]
           # fill empty fields in ver2 with zeros
       if ((10#${ver1[i]} > 10#${ver2[i]}))
           return 1
       if ((10#${ver1[i]} < 10#${ver2[i]}))
           return 2
   return 0

echo “Vulnerable glibc version <=” $glibc_vulnerable_version“-“$glibc_vulnerable_revision
echo “Vulnerable glibc version <=” $glibc_vulnerable_version2“-“$glibc_vulnerable_revision2
echo “Vulnerable glibc version <=” $glibc_vulnerable_version3“-1.”$glibc_vulnerable_revision3

glibc_version=$(rpm -q glibc | awk -F“[-.]” ‘{print $2″.”$3}’ | sort -u)
if [[ $glibc_version == $glibc_vulnerable_version3 ]]
   glibc_revision=$(rpm -q glibc | awk -F“[-.]” ‘{print $5}’ | sort -u)
   glibc_revision=$(rpm -q glibc | awk -F“[-.]” ‘{print $4}’ | sort -u)
echo “Detected glibc version” $glibc_version” revision “$glibc_revision

vulnerable_text=$“This system is vulnerable to CVE-2015-0235. <>
Please refer to <> for remediation steps”

if [[ $glibc_version == $glibc_vulnerable_version ]]
   vercomp $glibc_vulnerable_revision $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
   vercomp $glibc_vulnerable_revision2 $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
   vercomp $glibc_vulnerable_revision3 $glibc_revision
   vercomp $glibc_vulnerable_version $glibc_version

case $? in
   0) echo “$vulnerable_text”;;
   1) echo “$vulnerable_text”;;
   2) echo “Not Vulnerable.”;;

If vulnerable you will then see the following output below:



Checking to see what applications or packages depend upon the vulnerable glibc can be checked with the following command:

lsof | grep libc | awk '{print $1}' | sort | uniq

Check to see if you are running the correct version of glibc:

ldd –version


Qualys Advisory:

Test your system:

RHEL (Patching Information and test scripts):









(CVE-2014-6352) Zero-day vulnerability found in OLE PowerPoint


Object Linking and Embedding (OLE) is nothing new and it is not even a week since the last vulnerability (CVE-2014-4114) was discovered by iSight which unveiled a Cyber Espionage Campaign attributed to the Russian hacking group labelled “Sandworm” which was successfully targeting Windows OS from Vista SP2 and up but this has not stopped the newest member of the family coming to light utilising Microsoft PowerPoint as an attack vector this time.

CVE-2014-6352 is on a phishing trip and once again in the age old “don’t click on that email you weren’t expecting” security awareness words of wisdom just don’t click on it. If you receive an email and it has a PowerPoint OR ANYTHING for the matter that you did not expect DO NOT, I REPEAT, DO NOT click on it as you may be on the fast track to infecting yourself with a nice zero-day flaw that is being actively exploited by hackers in the wild.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability. In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website. The Microsoft Advisory states.

OLE is a tried and tested attack vector and has proven to be very successful when used in conjunction with Social Engineering technique’s, let’s face it if people keep clicking on things that they shouldn’t then this will continue into the future.

One thought I had though while writing this is that of a bad actor who has already compromised a standard user system but is having difficulty gaining administrative privileges and is already aware that the admin/s access certain documents on a server every so often, all they would have to do is modify the file and once clicked they are in and access has been granted so to speak, I know there are many other methods that would work before this but an interesting attack vector nonetheless.


Keep your poodle on a leash! (CVE-2014-3566)


Yet another critical vulnerability exists (CVE-2014-3566) in something we use everyday and much like the other serious vulnerabilities discovered recently this one potentially affects around 97% of the internet.


SSL 3.0 was improved upon by SSL 2.0 by adding SHA-1 based ciphers and support for certificate authentication. This was done as serious security flaws were found in the previous version and so v3.0 was born. TLS 1.0 took over in 1999 but you should really be using at least v1.1 or v1.2 as lets face it, they were created for a reason right? Nobody creates a new version of anything for the fun of it do they, especially when it is being used by a large part of the internet.

Padding attacks are nothing new though as Serge Vaudenay a French cryptographer published back in 2002 and later in 2010 successful attacks were applied to several web application frameworks (WAFS).

What is an Oracle Attack though? Well  “an oracle attack is an attack that exploits the availability of a weakness in the system which can be used as an “oracle” which can give a simple go/no go indication to show whether the attacker has reached, or is nearing, their goal. The attacker can then combine the oracle with systematic search of the problem space to complete their attack.”

Ok but what is an oracle? Well “an oracle is a mechanism used by software testers and software engineers for determining whether a test has passed or failed. It is used by comparing the output(s) of the system under test, for a given test case input, to the outputs that the oracle determines that product should have. The term was first used and defined in William Howden’s Introduction to the Theory of Testing.”

Now that we have discovered what a Padding oracle attack is we have pieced together some of the POODLE acronym, it actually stands for “Padding Oracle On Downgraded Legacy Encryption”and it was discovered by Google.

Ok, how does this look in a diagram? Glad you asked as I put together a little flowchart below which you may find interesting as this is a protocol flaw and not an implementation issue.


What you are looking at in the above flowchart is a lot simpler than it looks, it is a Cipher Block Chain (CBC). “In cryptography a mode of operation is an algorithm that uses a block cipher to provide an information service such as confidentiality or authenticity.”


Pretty much your plaintext goes in, it then has an initialization vector (iv) added to it, think of this as a starting variable (sv) which is used to randomise the encryption process, each block of plaintext is encrypted using a key that is derived from the previous block of ciphertext that is scrambled using a process called exclusive-OR (Xor) and padded where necessary to make blocks of the required size.

CBC is still widely used today as you have now discovered with the discovery of POODLE which is sure to have some tools released in the coming days much like the BEAST (Browser Exploit Against SSL/TLS) or CRIME attacks, BEAST like this vulnerability was also discovered by Thai Duong along with Juliano Rizzo and discovered on September 23, 2011.

How do I protect myself from a POODLE attack?

Don’t connect to a Wi-Fi hotspot that you are not in control of as this is where the most probable attack will most likely occur at the time of writing this article. It is possible to be downgraded to SSL 3.0 if using another protocol so even if you are using something else this could be your fall back!

How can I detect it?

Use an Intrusion Detection System (IDS) as signatures already exist to detect such a threat that may be happening on your network.


“Padding oracle attack – Wikipedia, the free encyclopedia.” 2010. 16 Oct. 2014 <>

“Oracle (software testing) – Wikipedia, the free encyclopedia.” 2009. 16 Oct. 2014 <>

“Block cipher mode of operation – Wikipedia, the free …” 2004. 16 Oct. 2014 <>



Bash vulnerability (CVE-2014-6271) “Shellshock” Analysis with Wireshark



What is with all these new fun and exciting vulnerabilities we have encountered recently like Heartbleed and ShellShock?

Both of these are a very big deal for anyone in IT whether you are in a general admin role or an IT Security position. In most cases, it will be up to system administrators and software companies to issue patches.

Both have existed for years and remained unnoticed or have they? Someone else has surely noticed these before they had been made public and abused them to gain access to systems and this does not just include Government Actors who are known to hoard all of the vulnerabilities they find but Threat Actors too just out to infiltrate as much as they possibly can and cast the widest net they can and ultimately becoming an Advanced Persistent Threat (APT).

Regarding the name ShellShock it seems to have originated from this twitter page by Andreas Lindh and Robert Graham the image above is also Andreas creation and is quite a cool image at that which grabs your attention. The researcher who discovered it however was Stephan Chazelas.

In my short video which you can see below, I show you how easy it actually is to exploit this vulnerability of which has many different attack vectors which include Linux OS, Apple OS, DHCP, SSH, OpenSSH, OpenVPN, Apache, Embedded devices, rooted phones, SCADA systems powering our infrastructure, the list goes on and if you are using Windows and have CygWin installed you may also be vulnerable to the recent vulnerability.

Looking at one of these different vectors and breaking down this vulnerability in an Apache environment which requires mod_cgi to be enabled is quite simple for the Threat Actor who has found this vulnerability on your server possibly by using curl to see what headers are available to them.


Now if we look at the file output in the cgi file we just created you will see a similar output:


Next the attacker tries to connect to your Apache server using curl and the handy User­Agent flag in curl with netcat listening on the attacking machine:

Netcat listening on port 4444:


Curl using the User­Agent flag creating a reverse tcp shell on the target machine with the bash vulnerability:


Success looks like the following:


Looking at the initial curl command a bit closer we can see that the host has accepted our connection attempt and the User­Agent flag contains the reverse shell back to the attacking machine:


As of the 7th of October Malware Must Die posted on their blog the threat known as “Mayhem” in which the white­hat security research workgroup performs a detailed analysis of the infection and warns that we have not seen the final wave of this bash vulnerability yet.

What have we learned from this vulnerability? Maybe that we should not always take for granted that we are secure and that the best form of defense is a layered approach which incorporates network forensics in which you can look back in time and see what happened in the event of a breach.

I know for a fact that some people out there would not have known their systems had been hit had they not been able to go back a few days or months simply and quickly to check with a nice report and pass it on to their security team to investigate with all the detail required to pass on to the authorities if needed.

Sniff your traffic, understand the packets.