The vulnerability reported in the GNU Bourne Again Shell (Bash) yesterday, dubbed "Shellshock," may already have been exploited in the wild to take over Web servers as part of a botnet. More security experts are now weighing in on the severity of the bug, expressing fears that it could be used for an Internet "worm" to exploit large numbers of public Web servers. And the initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry. A second vulnerability in Bash allows for an attacker to overwrite files on the targeted system.

Update: The vulnerability was addressed by the maintainer of Bash, Chet Ramey, in an email to the Open Source Software Security (oss-sec) mailing list. An unofficial patch that fixes the problem has been developed, but there is as of yet no official patch that completely addresses both vulnerabilities.

In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion webpages that at least partially fit the profile for the Shellshock exploit.

"It's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi)," Graham wrote. CPanel is a Web server control panel system used by many Web hosting providers. "Getting just the root page is the thing least likely to be vulnerable. Spidering the site and testing well-known CGI scripts (like the CPanel one) would give a lot more results—at least 10x."

In addition, Graham said, "this thing is clearly wormable and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would be 'game over' for large networks."

The big problem, as Securosis analyst and CEO Rich Mogull noted, is that "Bash is embedded and accessed in so many ways that we cannot fully understand its depth of use. Many systems you would never think of as having a command line use bash to run other programs. I have used it myself, a bunch, in programs I have written—and I barely code. We cannot possibly understand all the ways an attacker could interact with Bash to exploit this vulnerability."

Apparently, the vulnerability is already being used maliciously. A GitHub "gist" post by a system administrator who uses the Twitter handle @yinettesys reported finding an exploit that used the Shellshock vulnerability to launch a kernel exploit with a connection to a Command and Control (CnC) server hidden behind Cloudflare's content delivery network. The attack uses a Web GET request from a user agent called ".Thanks-Rob"—possibly a hat tip to Graham.

The binary delivered by the attack includes a number of text strings that appear to be a dictionary of username and password guesses, and it's similar to other malware used in the telnet brute-force attacks earlier this year. The malware delivered by the attack is a file named nginx written to the targeted server's /tmp directory in a subdirectory called "besh." The filename is an attempt to disguise it as the popular Web server software in process lists. The only communications sent from the malware to the CnC server are the text "PING"—which returns the response "PONG."

Oddly, according to one Hacker News poster who ran the binary of the malware on a virtual machine, the malware also sends a request to a Pastebin page (now removed) that was associated with an alleged leak of nude photos of actress Emma Watson.

Update: A number of security companies are now reporting attacks based on Shellshock that are ongoing. "We’re seeing attackers target the Shellshock vulnerability almost immediately (within 4.5 hours) of it being publicly announced," said Waylon Grange, senior malware researcher at Blue Coat. "Any organizations or users with unpatched Linux servers are vulnerable to hackers running unauthorized code, so it’s very important that organizations download and apply the patch immediately. Blue Coat is already seeing DDOS botnets trying to utilize this vulnerability in their attacks and we expect that traffic to only continue to increase.”