As some of you may have heard, a very serious remote vulnerability was discovered disclosed today within bash.

A quick summary of the problem is that bash does not properly process function definitions, which can be exported like shell variables. This is a bit like a SQL/XSS injection problem — you provide an “end” to your input, and continue writing other functions/calls after it, which then get executed.

A quick example:

A vulnerable system looks like this:

A patched system looks like this:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’

The second check is:

A vulnerable system looks like this:

A patched system looks like this:

This can be exploited remotely via HTTP requests to CGIs, but also, via AcceptEnv variables, TERM, and SSH_ORIGINAL_COMMAND overrides. By default, openssh accepts LANG and LCC* env. variables.

Important about CGIs/HTTP:
There has been a lot of confusion online about how/what you are exploiting via CGI. By scanning the IP of a server, you are really going for the / (root) path of the server. This check is basically good for two things — discovering vulnerable embedded devices, and finding people that have placed their cgi-bin root on /. The reality is that these are the “quick” targets, but they are not the many.

An example of a proper CGI exploit would look like this, given that /cgi-bin/index.cgi exists and is written in bash:

​Here is the easier way w/ wget in one line:

In this case, throwing stuff at the root ( would produce absolutely nothing.

Also, it’s interesting to note that it looks like there is no way to exploit the second vulnerability via HTTP/CGI.

The CVE for this one the first one is: It seems like this is a “temporary” patch.

The permanent will be is released under: Some are referring to this as “shellshock”.

An update on this is that the following CVEs exist: CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 – and they are all related under the now catchy “Shellshock” vulnerability.

The full and initial details can be found here:

Also, people like Robert have already started scanning for this: (this is actually an elegant way of doing it I think this has a lot of issues actually — see above about the “Important about CGIs”)

Rapid7 wrote an excellent blog post about this: You can see a lot of details about the “panic” effect versus the reality of this vulnerability.

Day of release – Update #1:
At last, it looks like there is already an exploit in the wild:

(note: at this point there are many exploits now — including worms and botnets)

Day of release – Update 2:
It looks like there is a MetaSploit module already:

At last — here is a GREAT video summarizing everything from the SANS institute:

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation