Bash Code Injection using Special Environment Variables

And it looks like it’s been a busy week in Information Security where everyone seems to be pretty paranoid regarding CVE-2014-6271 publicly named “ShellShock”. And of course, you should be:

Bash, the most-used shell interpreter for Linux and most Unix systems like OS X, suffers from a vulnerability that gives an attacker the ability to execute arbitrary commands because of Bash not correctly processing environment variables. And it’s worst: under specific situations, it is possible to remotely exploit this vulnerability.

How can this be possible ?

Incredibly, Bash is not correctly processing function definitions when they are stored in a variable. You can use the following Proof of Concept to check if your system is still vulnerable and as a demonstration of this behavior:

$ env var='() { ignore this;}; echo Vulnerableeee' bash -c ''

If vulnerable, you will see printed “Vulnerableeee” on your screen.

If patched, the follow output will appear:

bash: warning: var: ignoring function definition attempt
bash: error importing function definition for 'var'

How can an attacker exploit this ?

There are two ways in order to exploit this vulnerability: an authenticated user is needed in order to exploit this on SSH, but there are variables like HTTP/CGI which make remote code execution over the network possible, making multiple areas of exploitation.

A quick Google Dork will reveal that using HTTP/CGI for shell scripts is widely used -more than million results for this search-:

filetype:sh inurl:cgi-bin

This inmediatelly reminded me of a text by Leon Juranic from DefenseCode which talked about how Unix wildcards can gone really wild! A must-read, I must say.

Updates for all major distributions have been release, so go ahead and update Bash ASAP!

C ya l8r!

Deja un comentario