Thursday, September 25, 2014

Bash-Bug Penetration Testing - Anatomy of Shellshock

A new security vulnerability known as the Bash or Shellshock bug could spell disaster for major digital companies, small-scale Web hosts and even Internet-connected devices.

The quarter-century-old security flaw allows malicious code execution within the bash shell (commonly accessed through Command Prompt on PC or Mac's Terminal application) to take over an operating system and access confidential information.

A post from open-source software company Red Hat warned that "it is common for a lot of programs to run Bash shell in the background," and the bug is "triggered" when extra code is added within the lines of Bash code.

Security expert Robert Graham has warned that the Bash bug is bigger than Heartbleed because "the bug interacts with other software in unexpected ways" and because an "enormous percentage" of software interacts with the shell.

"We'll never be able to catalogue all the software out there that is vulnerable to the Bash bug," Graham said. "While the known systems (like your Web server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable."

Practical Demonstration
For practical demonstration I am using vulnerable ISO file which is purposly made vulnerable in order to test this. you can download it from

Step 1: Run ISO in vamware.
Step 2 : you will be landed on /home/pentesterlab page as shown in below screenshot.
Step 3: Now to run a vulnerable application we need an IP of this server. One can find that by giving ifconfig command here as shown in below pic.

Step 4: Observe in the screenshot that I am not only accessing web application in the web browser from outside Vmware(my windows 8 box) but also capturing request in burp suite.

Step 5: I am forwarding this request as this does not contain and cgi script. So next request it is capturing is as follows.

Here is the vulnerable CGI script named status. Currently in that some system level code is written which just displays server uptime and other information.

Step 6: Now we will inject arbitrary code in user agent header. This command will create a file on web server in particular folder named pentesterlab. The content of the file will be text and it will be "This is bash BUG testing."

Result : Since web browser can not interpret the command execution on server side, this will only show the result which was coded in to status CGI file normal server uptime and other kernal related information.

In order to verify our exploitation lets go to the server's pentesterlab directory. Observe in the below screenshot that file has created successfully on server.

Not only that, but also the content of the file has been the exactly same as given at the client side.

Thus how this vulnerability affects bash. For the knowledge, I am using below version of bash as shown in below picture.

This bug does not only affect http cgi scripts but also affects to all below things.

httpd CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.
Secure Shell (SSH) It is not uncommon to restrict remote commands that a user can run via SSH, such as rsync or git. In these instances, this issue can be used to execute any command, not just the restricted command.
dhclient The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
CUPS It is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed.
sudo Commands run via sudo are not affected by this issue. Sudo specifically looks for environment variables that are also functions. It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code.
Firefox We do not believe Firefox can be forced to set an environment variable in a manner that would allow Bash to run arbitrary commands. It is still advisable to upgrade Bash as it is common to install various plug-ins and extensions that could allow this behavior.
Postfix The Postfix server will replace various characters with a ?. While the Postfix server does call Bash in a variety of ways, we do not believe an arbitrary environment variable can be set by the server. It is however possible that a filter could set environment variables.

Solution : Patches are already availalbe on this below link:


No comments: