CVE-2014-6271: Shellshock
Last updated
Last updated
Shellshock (CVE-2014-6271) refers to a family of vulnerabilities found in the Bash shell, dating back to version 1.3. Discovered by Stéphane Chazelas on September 12, 2014, and made public on September 24, 2014, it allows attackers to remotely execute arbitrary commands by exploiting Bash. Through this, attackers can potentially gain remote access to systems via a reverse shell. Bash, a widely used shell in the *Nix environment and part of the GNU Project, is the default shell for many Linux distributions.
The Shellshock vulnerability occurs due to a flaw in Bash where it mistakenly executes commands following a specific character sequence: () { :; };
. This issue arises from how Bash handles environment variable function declarations. When an environment variable is passed to Bash, if it contains this sequence, Bash interprets it as a function, but instead of stopping at the function's definition, it continues to execute any additional commands.
In this case, Bash should treat x
as a harmless function, but due to the vulnerability, it executes the echo Vulnerable
command.
This flaw only impacts Linux systems, as Windows doesn't use Bash, being a non-*Nix OS. Specifically, Apache web servers running CGI scripts (.sh scripts) are vulnerable because CGI scripts can pass environment variables to the Bash shell, potentially allowing attackers to exploit the system by executing arbitrary commands.
CGI (Common Gateway Interface) allows Apache to execute commands on the server and send the output back to the client, making systems using CGI scripts and Bash susceptible to remote exploitation.
Payload: The payload () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
is injected into the User-Agent
HTTP header. This header is passed to the CGI script by the web server in the form of an environment variable.
Bash Function Exporting: The vulnerability stems from how Bash exports functions from parent to child shells using environment variables. Any variable beginning with () {
is parsed by Bash as a function, which could lead to arbitrary command execution.
Exploitation: If the CGI script calls Bash or executes commands via system calls (e.g., system
, popen
), the environment variables, including HTTP_USER_AGENT
, are passed to Bash. Bash processes the function-like string () {
, triggering the execution of commands like /bin/bash -c 'cat /etc/passwd'
.
Vulnerable Systems: Systems running Bash-based CGI scripts are highly vulnerable, and even non-Bash scripts can be vulnerable if they invoke Bash through system calls. Attackers can execute arbitrary commands on the server by sending malicious headers.
Recon and Exploitation: The vulnerability can be used for recon (e.g., running id
, ps aux
, or listing files) and data exfiltration by executing system commands via Bash.
To exploit this vulnerability, you need to find an input vector or script that interacts with Bash. On an Apache web server, any accessible CGI script can be used for this. When a CGI script runs, the web server starts a new process and executes the script using Bash.
This vulnerability can be exploited either manually or automatically using the MSF exploit module.
The user-agent
header is used as an injection point because it is passed by the web server to Bash as an environment variable in a vulnerable CGI setup, allowing the attacker to exploit the Shellshock vulnerability and execute arbitrary commands.
The Shellshock vulnerability stems from a feature in Bash that allows exporting function definitions from parent to child shells via environment variables. This feature misinterprets specially formatted environment variables starting with () {
, allowing arbitrary code execution.
Bash's interaction with web servers (like Apache) can expose it to untrusted HTTP headers (e.g., User-Agent
, Cookie
). If an attacker sends a crafted HTTP header starting with () {
, Bash may execute arbitrary commands, leading to remote code execution (RCE).