3S Labs Banner

Friday, September 26, 2014

CVE-2014-6271 Bash Vulnerability a.k.a Shellshock

CVE-2014-6271 a.k.a Shellshock is command execution vulnerability in Bash shell via. specially crafted environment variable. As per NIST, the exploitation has been demonstrated against vectors involving ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Due to the wide spread deployment and use of Bash shell on almost all Linux, OSX and other *nix based systems, this vulnerability is considered to be extremely critical with possible impact matching the Heartbleed issue, if not more.

Who is Affected?


Any application or system that invokes command through the bash shell can be potentially vulnerable. In order to exploit this issue in a target, an attacker needs to:

  • Set any environment variable with his controlled data.
  • Force the target to invoke any shell command through bash -c <cmd>

The immediate targets that can be exploited remotely are Web Servers with CGI support particularly those CGI scripts that are written in shell scripting. Apart from that, web applications written in various scripting language such as PHP, Perl, Python, Ruby etc. are equally vulnerable if deployed in CGI mode and the application at some point invokes shell command using functions like popen, exec, system etc.

How to Fix?


The bash shell needs to be updated to a patched version. For Debian based systems, it can be done using the following command:
apt-get install --only-upgrade bash

For RedHat or CentOS based system, following command can be used to update bash:
yum update bash

Note: The current fix in Bash is considered to be incomplete. A complete fix is yet to be released at the time of writing. The initial fix bypass is assigned the vulnerability identifier CVE-2014-7169.

Technical Analysis & Test Case


The simplest test case involves executing the following command in an affected bash shell:


If the string Vulnerable is printed, then the shell is affected by this issue.

Remote exploitation of this vulnerability can be demonstrated in a local environment using Apache/CGI based deployment and an affected version of Bash shell.

Sample CGI to demonstrate the vulnerability:


Following ruby script can be used as a test case for exploiting the above CGI for vulnerability detection:


The vulnerability can be confirmed if the HTTP response contains an additional header named X-Shellshock. Our FreeScan For Web Application service is updated with test to detect this vulnerability using a similar test case as described above. However it must be noted that the test is limited that uses common heuristic and should not be considered 100% reliable.

Reference:

  • http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
  • https://rhn.redhat.com/errata/RHSA-2014-1306.html
  • https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/


2 comments:

  1. Good article. Thank you for sharing it.
    Cyber security is essential for modern enterprises like traditional security is. What is interesting is that data loss may cost more than for instance all the office equipment. That is why companies are ready to pay for quality virtual data room service like ideals in order to keep their data safe.

    ReplyDelete
  2. Thank y for this scripts, it's really useful.
    Thx for fix strategy.
    security-online.net

    ReplyDelete