shellshock

All posts tagged shellshock

I was able to use the bash shellshock vulnerability last week to manually find a vulnerability in a web server through the HTTP User-agent. If you can do something manually there is a good chance that it can be done programmatically. This python program is an extension of that belief.

This program has three simple parts: an ICMP network listener, a urllib2 HTTP request generator, and a simple parser that displays the results. Why ICMP? 5 ping packets generated from a vulnerable server should not be a huge burden. Isn’t urllib2 pretty dated? It really is, but it ignores SSL certificate issues so I didn’t have to handle HTTPS requests differently from the HTTP requests.

This isn’t weaponized at all, while it can be weaponized pretty easily that is up to you and we don’t recommend testing this on an address that you aren’t authorized to use. Metasploitable2 has a shellshock User-agent vulnerability if you want to test this on a controlled network.

Usage – python shellshockUAScanner.py -r <CIDR range> -t <number of threads *default is 16> -i <interface *default is eth0>

shellshockUAScanner – source code

I was on an assessment this week just second checking some scanner results and I ran across an interesting page (Figure 1).

cgi-bin in URL

Figure 1: cgi-bin in URL

I saw the cgi-bin and thought that it might be worth giving it a second look for shellshock. Shellshock is the awesome brand name for CVE-2014-6271 which is a GNU Bash vulnerability. The client had placed significant restrictions on actual exploitation on the network; this was truly a vulnerability assessment with validation instead of a penetration test. The first thing I needed to do was see if the web server might be running on a vulnerable OS so I did a simple Nmap scan (Figure 2).

Nmap results for web server

Figure 2: Nmap results for web server

Now I had a potentially vulnerable OS and application vector to attack so I fired up Burp Suite and captured a request to the application (Figure 3).

Request to R2 web application

Figure 3: Request to R2 web application

Knowing that I couldn’t due a Bash one-liner or upload any code to the system due to the restrictions I decided to start a tcpdump session looking for traffic from the remote host tcpdump host 192.168.14.61 (Figure 5) and modified the User-Agent string ( ) { :; }; /bin/bash “ping 192.168.30.54 -c 10” before forwarding the request on.

Shellshocking the User-Agent

Figure 4: Shellshocking the User-Agent

tcpdump filtered for vulnerable host

Figure 5: tcpdump filtered for vulnerable host

Look at all those glorious packets! Just a reminder that *nix systems will ping until cancelled so the -c 10 option instructed it to only send 10 instead of pinging until the end of time. If this was a true penetration test instead of sending a ping command I would have used a bash one-liner to get an interactive shell. This was my first in the wild shellshock so it was still pretty fun.