While the Shellshock story is taking the media by storm, and as the reports of exploitation in the wild start to emerge, some questions about the worse-than-heartbleed infamous bug remain unanswered.
"Will there be a Slammer-like worm owning half of the Internet within a few hours?", "Besides Apache, DHCP and SSH, are there other ways to remotely set environment variables?", "Has the NSA known about it for 20 years?", "Are iOS and Android vulnerable?"...
While here at FortiGuard Labs, we have our own opinion on all of these questions, the one we can answer with most certainty is the last one.
Indeed, since the Shellshock story debut, it has been pointed that all Unix-based systems may be impacted, and that it includes MacOS X, iOS, and Android. It was later demonstrated that MacOS X did indeed come with a vulnerable version of Bash; but to our knowledge, no one seemed interested in connecting the dots regarding iOS and Android. This is surprising, since to most of us, our mobile device is our most cherished one - and thus the one we least want to be impacted, leading to hackers remotely taking control of it (yeeek, goose bumps of terror).
So are they? Looking at our lab's jailbroken/rooted devices shows us that both Cydia and Cyanogen came with a Bourne Again Shell (aka Bash) package.
Fig 1. Bash package in Cydia on iPhone (iOS 7) - Note this is the patched version
Which brings a first point: if third-party software for jailbroken/rooted devices install Bash, it means that Bash is very likely not present on off-the-shelf devices.
Conclusion: Non-jailbroken iPhones/iPads and non-rooted Android devices are not vulnerable to Shellshock.
What about jailbroken/rooted devices? A quick test using terminal apps show that they did come with a vulnerable version of Bash. For example:
Fig 2. Bash on jailbroken iPhone 5 running on iOS 7
Further tests show that it is even possible, theoretically, to exploit the vulnerability to spawn a reverse connect shell:
Fig 3. Spawning a reverse connect shell on jailbroken iPhone 5 running iOS 7
Fig 4. Spawning a reverse connect shell on rooted Android
On the "receiving side" of the shell (lab Linux computer running netcat in listen mode):
Fig 5. Shell remotely controlling jailbroken iPhone 5
Fig 6. Shell remotely controlling a rooted Android
Does that mean that the devices are vulnerable to attacks exploiting the Shellshock bug? Not quite. For an attack to be successful, two conditions must be met:
1) The target must embed a vulnerable version of Bash
2) There must be a way to remotely set environment variables on the target
While we established 1. above, we have yet to find a way to do 2. Doing so would probably involve leveraging third-party packages provided via Cydia/CyanogenMod, since natively, Bash is not installed (thus not needed).
If nothing proves that 2. is possible, nothing either proves it is not. Therefore, owners of jailbroken/rooted devices may apply caution, and install patches for Bash. As of this writing, an update of the Bourne Again Shell package is available already in Cydia; we encourage jailbreakers to install it.