shellshock vulnerability in android

shellshock vulnerability
shellshock vulnerability , executing commands after environment

 

I’ll try to put it as simple as possible to the readers from non information security background, ‘bash shell’ an inevitable part of unix based systems like Unix, Linux, Mac OS  is messed up badly by a easy to exploit  vulnerability that all hell broke loose. Shellshock aka Bashdoor  as it’s fondly called is a series of dangerous security bugs on the bash shell.

CVE-2014-6271

The first of these series, which would let anyone execute arbitrary commands following a crafted environment variable like this,

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Speaking more on the vulnerability and it’s implications is beyond the scope of this article. Incase you are a power reader and wish to know in-depth regarding the vulnerability, please take a look at the excellent coverage on the same by troy hunt here.

What I really wanted to speak about here is shellshock’s implications in Android operating system.

Shellshock and Android

Now that smartphones have effectively replaced laptops as your personal computing devices and then large scale surveillance celebrity nude leaks have become page 3 news – you should really be aware of the things which could affect your personal devices and shellshock or other bash/linux vulnerabilities should fall on the top of that list, because Android is just a Linux on steroids inside !

Android devices part of Open Handset Alliance like LG, Samsung, HTC etc. seem to use sh instead of bash for your sweet dreams but all is not well in the android world as significant number of AOSP (Android Open Source Project) based android devices like Cyanogenmod are still running  un patched version of bash shell and are very much prone to shellshock vulnerabilities.

During my tests I was surprised to see MIUI a AOSP based android OS from Xiaomi, not to be affected by shellshock. I’m eager to test on Amazon’s Fire OS, Alibaba’s Alyun etc.

Testing shellshock’s CVE-2014-6271 on Android is simple if you had any kind of experience with android developer tools. Run the above command on the adb shell and if you get the command after the environment variable function executed successfully, it means your device is vulnerable to shellshock exploit.

Sandbox

In Android, apps are run inside a sandbox environment for the data in order to prevent other apps from accessing it. Though bash vulnerabilities shouldn’t directly affect the sandbox security, any privilege execution resulting in super user capabilities for the malicious app can affect the entire system.

For making things simpler for those who didn’t  want to get their hand’s dirty in testing for Shellshock vulnerability, I made an app which does it for you.

Shellshock Vulnerability Scanner app

 

Representation of Shellshock Vulnerability Scan.
Representation of Shellshock Vulnerability Scan.

You can download the app from here –

https://play.google.com/store/apps/details?id=in.indiandragon.shellshock.shellshockvulnerabilityscan

When you open the app it gives the information you are looking for directly without any gimmicks like ‘scanning system’ which isn’t required to test this vulnerability.

Note :

The app comes with  No warranty whatsoever. Though it doesn’t do anything which could damage your mobile, you own responsibility for all your actions.

Opensource !

I have put the complete code in the GitHub for you to explore, learn & even modify to add tests for additional vulnerabilities. You can grab the code from here –

https://github.com/indiandragon/Shellshock-Vulnerability-Scan 

So if you had any concerns or opinion regarding shellshock let me know over twitter (@theindiandragon) or Facebook.

Author: indiandragon

Developer, Hacker, Researcher

13 thoughts on “shellshock vulnerability in android”

  1. Thank you for the info and the app, plus open source big up. It’s really usefull for those who are concerned with there sp security.

  2. I was learning computer programming in the 80s and it’s amazing to see how it’s changed. You did a great job of explaining what your app was doing and why. Thanks for making and sharing it.

    1. Updating your Android mobile if possible, else upgrading your mobile to a manufacturer who reliably updates the handset at regular interval. If you could get your hands dirty, then you can even try updating your ROM with one which has updates to fix this vulnerability.

  3. I have a question, I installed the app and it shows that the phone is vulnerable however when I run the command on a terminal everything is ok how come?

Leave a Reply

Your email address will not be published. Required fields are marked *