SHELLSHOCK VULNERABILITY (CVE-2014-6271)
Recently A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables.Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.
What is Bash?
Bash, or bourne-again shell, is the default shell in Ubuntu. When you are interfacing with the terminal (either through the terminal emulator, over a tty, or ssh), you are generally typing commands that bash will read, and execute. Even if you do not use the terminal at all, you still have Bash.
How does the exploit affects me?
Bash and the OS keep track of a set of environment variables that describe the current logged-on user, where to look for programs on the hard disk, and other such functions. By crafting an environment variable with a specific structure, an attacker might be able to execute code next time Bash starts.
The attacker can set that environment variable multiple ways:
- Remotely connect to a service such as SSH, and try to log in. By crafting a specific login name or hostname, they could cause an environment variable to be set with that specific crafted data.
- Tricking you into setting the environment variable.
- Causing another program to set an environment variable to have that crafted value. For example, you might have a webserver and script that needs to set an environment variable with specific user content. Even if that script creates its own, and doesn’t touch other environment variables, it’s enough. A single environment variable with any name and a crafted value is enough for the exploit to succeed.
- Other ways I have not mentioned here
Once they set this variable, the next time bash opens for any reason, your attacker’s code will be run. This is especially fearsome with sudo -s, as it spawns bash as the super-user (an administrative user rule that has full control over your computer’s data and programs). Even if you only start bash as a standard user, that user’s files can be deleted.
How to Check Your Vulnerable or Not ?
The above message will confirm that the bash vulnerability was exist in the given operating System.
If you are not vulnerable, then the following will be shown:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x‘
How to Fix Above Vulnerability
The standard update manager will offer you this update. This is a prime example of how security updates are important, no matter what OS you use or how well-maintained it is. Below is the screenshot for updating Bash file
For Confirmation re-run the above command and see the result:
How to Test This Issue in Web Application
Vulnerable Filed are “User-Agent” “Host” “Referer” and arbitrary Header.
Below is the POC attached for the same on Bwapp Vulnerable Application. (http://www.itsecgames.com/)