Shellshock Bash Remote Code Execution Vulnerability Explained

Shellshock has been widely exploited by using a worm called wopbot. The primary reason for its popularity is the fact that it targets Unix Bash shell, which is primarily found in most of the Unix/Linux- based web server, server, and network device. According to our experts, this vulnerability is as popular as Heartbleed vulnerability. 

What is the Shellshock Remote Code Execution Vulnerability?

It is a security bug in the Unix Bash shell that causes Bash to execute bash commands from environment variables unintentionally. If this vulnerability is successfully exploited, an attacker can remotely issue commands on the target host, i.e., remote code execution (RCE). Though Bash is not an Internet-facing service, many network and internet services (for example, web servers) use environment variables for communicating with the server’s OS. 
If environment variables not sanitized before execution, an attacker can send commands through HTTP requests and get them executed by the server’s OS. Stephane Chazelas discovered this vulnerability and it was assigned CVE-2014-6271. Tavis Ormandy discovered a bug with identical consequences, and it was assigned CVE-2014-7169. 

Exploiting the Shellshock Vulnerability through HTTP Requests

To start with, the attacker crafts an HTTP request containing the following headers – 
Once the target server receives this HTTP request, it sends a response by sending the content of the /etc/passwd file.  This means that the attacker was able to execute OS commands through a specifically crafted HTTP request. Accordingly, the attacker can similarly use any other command to take over the full control of the target server. 

Checking for the Shellshock Vulnerability

The simplest test to check if your Bash is vulnerable and available publicly.
Upon running the above-given command, the output will be “vulnerable” is your server is running an affected version of Bash. If the patch has been applied for this vulnerability, you will see the following result –  

Impact and Potential IoCs that can be exploited

As it is clear from the above discussion, successful exploitation of this vulnerability results in remote code execution. The following are the indicators that your server can be exploited – 

• GNU Bash up to version 4.3, 
• OpenSSH through ForceCommand, AcceptEnv, SSH_ORIGINAL_COMMAND, and TERM, 
• Scripts executed by DHCP clients that are not specified, 
• Apache HTTP server via themod_cgi and mod_cgid modules, and 
• Other situations wherein setting environment occurs across a privilege boundary from Bash execution.
  

  Recommendations

Depending upon your vendor, you should refer to the following resources for patching this vulnerability immediately –

• RedHat: https://www.debian.org/security/2014/dsa-3032 
• Debian: https://www.debian.org/security/2014/dsa-3032 
• Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/  
• CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html  
• Novell/SuSE: http://support.novell.com/security/cve/CVE-2014-6271.html