Remotely Exploitable “Shellshock” Vulnerability (CVE-2014-6271 / CVE-2014-7169)

After Heartbleed, a very critical vulnerability recently published that affects most Linux, UNIX and Mac OS X operating systems named as "Shellshock" or "Bash Bug". The vulnerability is more critical than Heartbleed vulnerability, affects systems which uses Linux/Unix command-line shell, known as Bash, aka GNU Bourne Again Shell (version 4.3 or lower) and parse values of environment variables. This can include not only standard distributions of operating systems, but also a variety of embedded and "Internet of Things" devices including home routers.

Surprisingly, this is 22 years old vulnerability (CVE-2014-6271/ CVE-2014-7169), dating back to version 1.14, lies in environment variables handling of Bash. When assigning a function to a variable, trailing code in the function definition will be executed, leaving the door open for code injection attacks. In other words, this security vulnerability allows attacker to execute malicious code within the bash shell remotely on target machine using specially crafted variables.

The Shellshock vulnerability can be exploited on systems that are running Applications or services that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:

Ø Web Applications that use CGI scripts that are written in Bash. 
Ø Network-exposed services that use Bash.
Ø Certain DHCP clients.
Ø OpenSSH servers that use the ForceCommand capability.

 :::::::::::: NIST Vulnerability Summary::::::::::::

CVE Number:                    CVE-2014-6271  /  CVE-2014-7169
CVSS Base Score:             10.0
Impact Subscore:               10.0
Exploitability Subscore:      10.0
Base Metrics:                     AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Vector:                   Network exploitable
Access Complexity:            Low
Authentication:                    Not required
Impact Type:                       Unauthorized disclosure of information; unauthorized modification;  Disruption of service
Exploitable:                        YES
PATCH AVAILABLE:           YES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

:::::::::::: Identify and Patch Vulnerability in your environment:::::::::::: 

Shellshock vulnerability affects UNIX, Linux and OS X operating systems which are using BASH shell. Affected BASH shells Version are 4.3 or lower.

• How To Check which Shells You Are Using, run following command in your system's shell/terminal:

# chsh --list-shell

or

# cat /etc/shells

If output of this commands shows /bin/bash, it confirms that you are using a BASH shell.

• How to check version of BASH Shell of your system:

To identify the version of BASH shell you are using, run following command in your system's shell/terminal:

# bash --version

If version of your BASH shell is 4.3 or lower, your BASH shell is Vulnerable.

• How To Confirm The Existence/Non-Existence of Vulnerability in your BASH Shell:

To identify if your linux or unix system is vulerable or not, run following commands in your system's shell/terminal. 

# env vipltest="() { :;} ; echo Vulnerable to Shellshock" /bin/sh -c "echo FINISH"
# env vipltest="() { :;} ; echo Vulnerable to Shellshock" `which bash` -c "echo FINISH" 

After executing these commands, if you see below output then you are at risk:

After executing these commands, if you see below output, your version of Bash is safe:

• How To Fix:

Ø Many of the major operating system and Linux distribution vendors have released the new bash(Patch) for this vulnerability (Commands given below to update bash software package); and although not all patches have been proven to be really effective yet, patching is the first thing to do.

Ø If you are using any IDS/IPS I would also recommend that you add/load a signature for this.  A lot of public rules have been published.

Ø Also review your web server configuration. If there are any CGI scripts that you are not using, consider disabling them.

Commands to Update Bash: 

CentOS / Red Hat / Fedora:
# sudo yum update bash 

Ubuntu / Debian: 
# sudo apt-get update && sudo apt-get install --only-upgrade bash

After Updating bash, execute commands given above (Section: How To Confirm The Existence/Non-Existence of Vulnerability in your BASH Shell) to confirm Non-existence of vulnerability.

:::::::::::: TECHNICAL DETAILS ::::::::::::

A malicious string '() { :;}; echo Vulnerable to Shellshock" takes advantage of a bug in the way Bash handles environment variables to trick it into treating the string "echo Vulnerable to Shellshock" as a command rather than just a string of letters. The vulnerability occurs because bash does not stop after processing the function definition. It continues to parse and execute shell commands following the function definition.

:::::::::::: PROOF OF CONCEPT ::::::::::::

To demonstrate we took a application running on UNIX system and using apache and cgi-bin script.

1. First, we intercepted requests using live-http-header add-on of firefox so that we can start tampering with the requests. In this request, we can see that it is requesting /cgi-bin/status using GET verb.

2. Now before moving further, we need to start listening to the port that we want the reverse shell to connect to. For this we used netcat. In this example, we opened command prompt of windows and entered command to listen on.

3. After we started listening we sent the payload/arbitrary commands that will execute on the remote server and connect back to our machine.

4. After playing above request, we started receiving incoming connections from remote server.

5. Later, we were successfully able to execute arbitrary code/commands on the remote machine.

Happy Pentesting... :)

Posted in: Exploit, shellshock vulnerability