Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.
Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:
CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.
Vulnerability details
Advisory: SB2014091201 - Multiple RCE vulnerabilities in GNU Bash aka Shellshock
Vulnerable component: Bash
CVE-ID: CVE-2014-6271
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-77 - Command injection
Description:
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Successful exploitation may allow an attacker to gain complete control over vulnerable system.
Exploitation example:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Note: this vulnerability was being actively exploited in the wild.
Public Exploits:
- RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock) [Exploit-DB]
- TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock) [Exploit-DB]
- IPFire - Bash Environment Variable Injection (Shellshock) (Metasploit) [Exploit-DB]
- Advantech Switch - Bash Environment Variable Code Injection (Shellshock) (Metasploit) [Exploit-DB]
- Cisco Unified Communications Manager - Multiple Vulnerabilities [Exploit-DB]
- Kemp Load Master 7.1.16 - Multiple Vulnerabilities [Exploit-DB]
- QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]
- QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]
- PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock) [Exploit-DB]
- CUPS Filter - Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]
- Bash CGI - Remote Code Execution (Shellshock) (Metasploit) [Exploit-DB]
- Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock) [Exploit-DB]
- Apache mod_cgi - Remote Exploit (Shellshock) [Exploit-DB]
- OpenVPN 2.2.29 - Remote Exploit (Shellshock) [Exploit-DB]
- GNU bash 4.3.11 - Environment Variable dhclient Exploit [Exploit-DB]
- Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]
- IPFire - Cgi Web Interface Authenticated Bash Environment Variable Code Injection [Exploit-DB]
- GNU Bash - Environment Variable Command Injection (Shellshock) [Exploit-DB]
- Bash - Environment Variables Code Injection (Shellshock) [Exploit-DB]
- GNU Bash - Environment Variable Command Injection (Metasploit) [Exploit-DB]
- Qmail SMTP - Bash Environment Variable Injection (Metasploit) [Exploit-DB]
- Qmail SMTP 1.03 - Bash Environment Variable Injection [Exploit-DB]
External links:
http://lcamtuf.blogspot.cz/2014/09/quick-notes-about-bash-bug-its-impact.html
http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introd...
http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-ho...
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/6033/bash-vulnerability-shellsh...
https://www.tripwire.com/state-of-security/off-topic/shell-shocked-bash-bug-detection-tools-cve-2014...
http://security.stackexchange.com/questions/100388/avast-performing-an-attack
http://community.ispyconnect.com/ispybb2/viewtopic.php?t=1360
https://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/
http://resources.infosecinstitute.com/bash-bug-cve-2014-6271-critical-vulnerability-scaring-internet...
https://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://www.alienvault.com/blogs/labs-research/attackers-exploiting-shell-shock-cve-2014-6271-in-the...