Shellshock Vulnerability and Potential Exploitation (not another blog post on CVE-2014-6271 / CVE-2014-7169)

29 Sep 2014 by rayheffer

As tempting as it is, I have no intention of jumping on the ‘Shellshock’ band wagon and writing a vague post on the subject. However, I do find this recent bash exploit interesting and worthy of investigation as it’s simple to test and has a plethora of vectors that could be exploited. I’ve read many media reports on this and unfortunately some of their layman’s terms are inaccurate or do not provide the full picture. The purpose of this blog post is for my own reference and anybody that needs starting point of where to look. For an in-depth look at this then I would recommend you read Troy Hunt’s post. For a quick technical reference then feel free to read on…

What’s Affected?

Most operating systems with bash. So that includes Apple OS X, Linux and Unix running bash versions up and including 4.3.

What is the exploit?

The original bash vulnerability is covered in CVE-2014-6271.

Another flaw was found which was later detailed in CVE-2014-7169. This second flaw, apparently, could not be executed remotely and was deemed less severe although the latest patches for bash include this and other less serious flaws.

How to tell which version of bash you are running on a Linux system?

bash -version

This CentOS 6.5 server is running version 4.1.2 of bash, but is vulnerable to the flaw.

To check exactly which version and release of bash you are running, with the installation date use:

rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH} (%{INSTALLTIME:date})\n' | grep bash

Vulnerable version (last updated in January 2014):

Patched version

How to test for the flaw?

There are various methods to see if your system is still vulnerable, but the easiest for the 6271 flaw is:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Vulnerable systems would result in the following:

If your system is patched you will see:

Testing the 7169 flaw:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

Vulnerable systems would result in the following, and you can see it has executed the ‘echo date’ command:

If your system is patched then it will NOT execute the command to display the date:

Remote Execution and Exploit Vectors

This is the critical part of this flaw to understand. It’s not the fact that the exploit can be performed once inside the shell, it’s the fact that there are many possible exploitation vectors (or methods) to run this with an HTTP request to a CGI script. Web servers that run cPanel, contact forms, e-commerce, to name a few could be the most major form of exploitation. Here are a few that you should be aware of:

  • HTTP / CGI
  • Mail Servers: Qmail appears to be the most affected mail system here, but others may be vulnerable.
  • DHCP: All dhclient configurations are vulnerable.

VMware

The latest information on any affected VMware products can be found here.

Apply your Updates!

It goes without saying that you should regularly patch your systems. Be mindful that bash is only partially patched and the underlying problem remains to be fixed.

Comments are closed for this post.