I was on an assessment this week just second checking some scanner results and I ran across an interesting page (Figure 1).
Figure 1: cgi-bin in URL
I saw the cgi-bin and thought that it might be worth giving it a second look for shellshock. Shellshock is the awesome brand name for CVE-2014-6271 which is a GNU Bash vulnerability. The client had placed significant restrictions on actual exploitation on the network; this was truly a vulnerability assessment with validation instead of a penetration test. The first thing I needed to do was see if the web server might be running on a vulnerable OS so I did a simple Nmap scan (Figure 2).
Figure 2: Nmap results for web server
Now I had a potentially vulnerable OS and application vector to attack so I fired up Burp Suite and captured a request to the application (Figure 3).
Figure 3: Request to R2 web application
Knowing that I couldn’t due a Bash one-liner or upload any code to the system due to the restrictions I decided to start a tcpdump session looking for traffic from the remote host tcpdump host 192.168.14.61 (Figure 5) and modified the User-Agent string ( ) { :; }; /bin/bash “ping 192.168.30.54 -c 10” before forwarding the request on.
Figure 4: Shellshocking the User-Agent
Figure 5: tcpdump filtered for vulnerable host
Look at all those glorious packets! Just a reminder that *nix systems will ping until cancelled so the -c 10 option instructed it to only send 10 instead of pinging until the end of time. If this was a true penetration test instead of sending a ping command I would have used a bash one-liner to get an interactive shell. This was my first in the wild shellshock so it was still pretty fun.