Hi ! long time since my last post over here, I´ve been busy, but here it is :
Stephane Chazelas discovered a vulnerability related in how environment variables are managed by bash, so if you are able to find a vuln server, like google dorking with some like google:filetype:cgi inurl:cgi-bin, you could easily get shell, escalate privileges, data exfiltration and so on.
There are already a lot of scripts scanning the whole Internet looking for this kind of vuln to get involved in DoS/DDoS attacks, botnet inclusion perl scripts, etc.
His official CVE is CVE-2014-7261, although in the past few days, three vulns have been discovered too, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 y CVE-2014-6277, last by Michael Zalewski, who have not yet disclosed any technical info about it, so be careful.
All these patches have caused developers to write some specific patches that you´re able to download via apt-get on Debian based distros, or yum/yast, OpenBSD, NetBSD and FreeBSD have developed specific C patches in order to avoid this bash enviromental behaviour, but most of sysadmins have to wait bash devs to release subsequent patches.
Solution is easy… keep up to date
To check if your server is vuln, you can carry out these following steps:
– apt-get install git
– git clone https://github.com/hannob/bashcheck/
– cd bashcheck
Also, you can take a deep look at this URL too:
For a PoC, I´ve tested pentesterlab vuln iso that you can download right here, and a NSE script for NMAP :)
Vuln VM looks like this when running:
What bad guys are doing is to inject bash scripts in parameters like Header, User-Agent, referer… etc, download rootkits and whatever you want.. its a shell :)
So for the PoC, I simply run a revshell to demonstrate how dangerous this exploitation could be, although this kind of vulnerabilities are well known, and you can do some research and training in exploit-exercises.com.
When a tcp port is listening, and wondering if netcat could not be available in target, we can create a tcp socket and send it to our attacker machine that way:
So, our tcp socket is being generated and in a few seconds we can see some like that :