Shellshock Simple User-Agent Exploit

I was on an assessment this week just second checking some scanner results and I ran across an interesting page (Figure 1).

cgi-bin in URL

Figure 1: cgi-bin in URL

I saw the cgi-bin and thought that it might be worth giving it a second look for shellshock. Shellshock is the awesome brand name for CVE-2014-6271 which is a GNU Bash vulnerability. The client had placed significant restrictions on actual exploitation on the network; this was truly a vulnerability assessment with validation instead of a penetration test. The first thing I needed to do was see if the web server might be running on a vulnerable OS so I did a simple Nmap scan (Figure 2).

Nmap results for web server

Figure 2: Nmap results for web server

Now I had a potentially vulnerable OS and application vector to attack so I fired up Burp Suite and captured a request to the application (Figure 3).

Request to R2 web application

Figure 3: Request to R2 web application

Knowing that I couldn’t due a Bash one-liner or upload any code to the system due to the restrictions I decided to start a tcpdump session looking for traffic from the remote host tcpdump host 192.168.14.61 (Figure 5) and modified the User-Agent string ( ) { :; }; /bin/bash “ping 192.168.30.54 -c 10” before forwarding the request on.

Shellshocking the User-Agent

Figure 4: Shellshocking the User-Agent

tcpdump filtered for vulnerable host

Figure 5: tcpdump filtered for vulnerable host

Look at all those glorious packets! Just a reminder that *nix systems will ping until cancelled so the -c 10 option instructed it to only send 10 instead of pinging until the end of time. If this was a true penetration test instead of sending a ping command I would have used a bash one-liner to get an interactive shell. This was my first in the wild shellshock so it was still pretty fun.

 

Leave a Reply