Shellshock (CVE-2014-6721)
A new vulnerability affecting Bash (CVE-2014-6721) was published two days ago. Just as we seen with Heartbleed social networks have gone into a frenzy with this (its not a proper vulnerability without a logo right :).The vulnerability allows attackers to perform remote code execution.It affects Bash, the default command shell for Linux/Unix systems. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. The function definition is () { :; }; and lets say the malicious shell command is echo; /bin/cat/ /etc/passwd when this is processed the malicious code is processed
From a web application point of view applications running on the Apache HTTP server using the mod_cgi and modcgi modules are vulnerable. According to the Seclists Advisory...
A typical HTTP request looks like this:
GET /path?query-param-name=query-param-value HTTP/1.1
Host: www.example.com
Custom: custom-header-value
The CGI specification maps all parts to environment variables. With
Apache httpd, the magic string “() {” can appear in these places:
* Host (“www.example.com”, as REMOTE_HOST)
* Header value (“custom-header-value”, as HTTP_CUSTOM in this example)
* Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)
In addition, with other CGI implementations, the request method
(“GET”), path (“/path”) and query string
(“query-param-name=query-param-value”) may be vectors, and it is
conceivable for “query-param-value” as well, and perhaps even
“query-param-name”.
To demonstrate this we have a vulnerable page hosted on an Apache server.
We then use an intercepting proxy e.g. BurpSuite to trap the request. We can then inject our code into one of the headers, I have used the user-agent here..
We can only watch now to see the possibilities for this bug ;).
Information referenced from Troy Hunt Blog
