CVE-2014-6271 a.k.a Shellshock is command execution vulnerability in Bash shell via. specially crafted environment variable. As per NIST, the exploitation has been demonstrated against vectors involving ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Due to the wide spread deployment and use of Bash shell on almost all Linux, OSX and other *nix based systems, this vulnerability is considered to be extremely critical with possible impact matching the Heartbleed issue, if not more.
Due to the wide spread deployment and use of Bash shell on almost all Linux, OSX and other *nix based systems, this vulnerability is considered to be extremely critical with possible impact matching the Heartbleed issue, if not more.
Who is Affected?
Any application or system that invokes command through the bash shell can be potentially vulnerable. In order to exploit this issue in a target, an attacker needs to:
- Set any environment variable with his controlled data.
- Force the target to invoke any shell command through bash -c <cmd>
The immediate targets that can be exploited remotely are Web Servers with CGI support particularly those CGI scripts that are written in shell scripting. Apart from that, web applications written in various scripting language such as PHP, Perl, Python, Ruby etc. are equally vulnerable if deployed in CGI mode and the application at some point invokes shell command using functions like popen, exec, system etc.
How to Fix?
The bash shell needs to be updated to a patched version. For Debian based systems, it can be done using the following command:
apt-get install --only-upgrade bash
For RedHat or CentOS based system, following command can be used to update bash:
yum update bash
Note: The current fix in Bash is considered to be incomplete. A complete fix is yet to be released at the time of writing. The initial fix bypass is assigned the vulnerability identifier CVE-2014-7169.
Technical Analysis & Test Case
The simplest test case involves executing the following command in an affected bash shell:
If the string Vulnerable is printed, then the shell is affected by this issue.
Remote exploitation of this vulnerability can be demonstrated in a local environment using Apache/CGI based deployment and an affected version of Bash shell.
Sample CGI to demonstrate the vulnerability:
Sample CGI to demonstrate the vulnerability:
The vulnerability can be confirmed if the HTTP response contains an additional header named X-Shellshock. Our FreeScan For Web Application service is updated with test to detect this vulnerability using a similar test case as described above. However it must be noted that the test is limited that uses common heuristic and should not be considered 100% reliable.
Reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
- https://rhn.redhat.com/errata/RHSA-2014-1306.html
- https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Good article. Thank you for sharing it.
ReplyDeleteCyber security is essential for modern enterprises like traditional security is. What is interesting is that data loss may cost more than for instance all the office equipment. That is why companies are ready to pay for quality virtual data room service like ideals in order to keep their data safe.
Thank y for this scripts, it's really useful.
ReplyDeleteThx for fix strategy.
security-online.net
mecidiyeköy
ReplyDeleteçeşme
muğla
afyon
uşak
D2GR
yurtdışı kargo
ReplyDeleteresimli magnet
instagram takipçi satın al
yurtdışı kargo
sms onay
dijital kartvizit
dijital kartvizit
https://nobetci-eczane.org/
MHDH