The Shellshock bug allows someone to remotely execute arbitrary code on systems that uses Bash.

An attacker needs to inject their payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.

The Bash flaw – designated CVE-2014-6271 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271] – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.

The issue starts with mod_cgi and how web servers interact with CGI programs (that could be written in Perl, PHP, Shell scripting or any other language). The web server passes (environment) user variables to them so they can do their work. In simple terms, this vulnerability allows an attacker to pass a command as a variable that gets executed by bash.

It means that if you are using mod_cgi on your web server and you have a CGI written in shell script, if you have CGI’s written on any other language, but you are using “system()”, “(backticks)” or executing any commands from the CGI, you are in deep trouble. Drop everything now and patch your servers.

In a few more days we will see real scans and actual attacks attempting to exploit this Shell Shock vulnerability.

Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way. We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities.

Finding if you’re vulnerable is easier than previous vulnerabilities. Run this command:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If you are vulnerable it will return:

vulnerable
hello

If not vulnerable it will return:

hello

Below I explained with simple example of remote code execution through vulnerable bash.

I already have a working Apache web server with mod_cgi enabled and with a simple bash script to echo “CGI Bash Bug Example” and size of root filesystem.

cat /usr/lib/cgi-bin/bashbug.sh

displays:

/usr/lib/cgi-bin/bashbug.sh

#!/bin/bash
echo “Content-type: text/html”
echo “”
echo “<html><body>CGI Bash Bug Example</body></html>”
echo `df -h / | grep -v Filesystem`

# Delete the tmp file if is exists from a previous run.
rm -fr /tmp/tmpoutput

curl -k -H ‘User-Agent: () { :;}; echo BugFound>/tmp/tmpoutput’ https://localhost/cgi-bin/bashbug.sh

tail -n1 /var/log/apache2/access.log

ls -l /tmp/tmpoutput