Zero-day vulnerability in Bash

Command injection
CVE-2014-6271

Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.

Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:

CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.

Vulnerability details

Advisory: SB2014091201 - Multiple RCE vulnerabilities in GNU Bash aka Shellshock

Vulnerable component: Bash

CVE-ID: CVE-2014-6271

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-77 - Command injection

Description:

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Exploitation example:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Note: this vulnerability was being actively exploited in the wild.

Public Exploits:

- QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]

- Qmail SMTP 1.03 - Bash Environment Variable Injection [Exploit-DB]

- QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]

- Bash - Environment Variables Code Injection (Shellshock) [Exploit-DB]

- CUPS Filter - Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]

- Advantech Switch - Bash Environment Variable Code Injection (Shellshock) (Metasploit) [Exploit-DB]

- Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]

- Kemp Load Master 7.1.16 - Multiple Vulnerabilities [Exploit-DB]

- PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock) [Exploit-DB]

- Cisco Unified Communications Manager - Multiple Vulnerabilities [Exploit-DB]

- RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock) [Exploit-DB]

- Bash CGI - Remote Code Execution (Shellshock) (Metasploit) [Exploit-DB]

- GNU Bash - Environment Variable Command Injection (Shellshock) [Exploit-DB]

- OpenVPN 2.2.29 - Remote Exploit (Shellshock) [Exploit-DB]

- IPFire - Bash Environment Variable Injection (Shellshock) (Metasploit) [Exploit-DB]

- Apache mod_cgi - Remote Exploit (Shellshock) [Exploit-DB]

- TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock) [Exploit-DB]

- Qmail SMTP - Bash Environment Variable Injection (Metasploit) [Exploit-DB]

- GNU Bash - Environment Variable Command Injection (Metasploit) [Exploit-DB]

- Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock) [Exploit-DB]

- IPFire - Cgi Web Interface Authenticated Bash Environment Variable Code Injection [Exploit-DB]

- GNU bash 4.3.11 - Environment Variable dhclient Exploit [Exploit-DB]

External links:

http://lcamtuf.blogspot.cz/2014/09/quick-notes-about-bash-bug-its-impact.html
http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introd...
http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-shellshock-and-ho...
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/6033/bash-vulnerability-shellsh...
https://www.tripwire.com/state-of-security/off-topic/shell-shocked-bash-bug-detection-tools-cve-2014...
http://security.stackexchange.com/questions/100388/avast-performing-an-attack
http://community.ispyconnect.com/ispybb2/viewtopic.php?t=1360
https://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/
http://resources.infosecinstitute.com/bash-bug-cve-2014-6271-critical-vulnerability-scaring-internet...
https://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://www.alienvault.com/blogs/labs-research/attackers-exploiting-shell-shock-cve-2014-6271-in-the...

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.