Bash Vulnerability Discovered

This is quite serious as it allows the attacker to run any arbitary code as bash sub-shell. This bash vulnerability(discovered by Stephane Chazelas)  is related to how the environment variables are processed, i.e. trailing code in function definition was executed, independent of the variable name.

(ref: http://seclists.org/oss-sec/2014/q3/649 )

This vulnerability is can be easily exploited by skilled hackers over the network in common configurations/setups. The GNU Bash upstream maintainer, Chet Ramey has already released the official upstream patches.

If you’re running CentOS or another RHEL derivatives, please update Bash immediately:

# yum update bash

If you’re running Ubuntu, you can run this command:

# apt-get upgrade bash

If your host or webserver has some kind of Control Panel (e.g. Cpanel or Plesk) that has auto-update enabled, it may have already updated Bash for you when the cronjob runs.

After updating Bash, please verify that you are no longer vulnerable by running the following command on the command shell/bash:

export badvar='() { :;}; echo vulnerable’ && bash -c “echo This is a sub process in ‘$BASH_VERSION'”

If you have patched up BASH, then you will see something like the following on your shell:

bash: warning: badvar: ignoring function definition attempt
bash: error importing function definition for `badvar’
This is a sub process in 4.1.2(1)-release

BUT if your BASH hasn’t been updated yet, then you will see the following:

vulnerable
This is a sub process in 4.1.2(1)-release

 

The word “vulnerable” is a dead giveaway that your version of Bash is vulnerable to this exploit. Update immediately!

Slider Revolution Plugin Vulnerability

Sometimes, when you’re cruising along nicely in life, something bad had to happen – like a low-down, good for nothing hacker who discovered a critical vulnerability in the Slider Revolution Plugin and used it to wipe out my entire blog :-(

Yeah, it was bad. The entire WordPress blog got wiped out. I guess that hacker had a bad day and decided to take out his frustration on my blog. This vulnerability in the plugin allows an attacker to download the WordPress’ configuration file – “wp-config.php”  – and view the database connection parameters (username, password and dbserver name).

The latest version of t his popular plugin is 4.6.0 (released on 25th August 2014). Versions 4.1.4 and earlier are vulnerable to hackers. If you’ve purchased this plugin from the Envato marketplace, please contact the vendor and get an update immediately.

It seems that the developers of this plugin, “ThemePunch” released version 4.2 which mentioned that it addressed a ‘security’ issue in the changelog, but did not disclose the magnitude of the severity of the security. As a result of that, many other theme authors who made use of the slider code/plugin did not pay much attention to it and many did not update their code base.

Sadly, it was the low-life worms in the underground (i.e. crackers and hackers) who took this information about the vulnerability seriously and began to circulate it on various underground forums. This went on for several months and on 1st September, someone posted a proof-of-concept of the exploit on a public forum. That’s when all-hell broke loose and many script kiddies took advantage of the exposed vulnerability.

Note: Even if you don’t have this plugin installed, but you’re using a paid/commercial theme, you may want to check with the theme author and ask them if the theme is using an earlier version of this popular plugin. There are many commercial themes that uses the Slider Revolution plugin/code.

In fact, most of the WordPress sites that got hit was because of the vulnerable slider code in the theme files. Even though the developer of this plugin has updated the code and fixed the security hole, many wordpress sites out there are still vulnerable because it all depends on how the theme developers handle the plugin updates.

How to Check If Your WordPress site is vulnerable:

Type this URL into your browser:

http://YOURSITE.COM/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

 

*note: replace “YOURSITE.COM” with your domain/url.

If you can view the contents of your wp-config file – then you’re vulnerable. Switch theme immediately and contact your theme vendor. If you see a “0” – then you’re safe.