Zero-day vulnerability in Bash

Command injection

Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.

Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:

CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.

Vulnerability details

Advisory: SB2014091201 - Multiple RCE vulnerabilities in GNU Bash aka Shellshock

Vulnerable component: Bash

CVE-ID: CVE-2014-6271

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')


The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Exploitation example:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Note: this vulnerability was being actively exploited in the wild.

Public Exploits:

- RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock) [Exploit-DB]

- GNU Bash - Environment Variable Command Injection (Shellshock) [Exploit-DB]

- Bash - Environment Variables Code Injection (Shellshock) [Exploit-DB]

- GNU Bash - Environment Variable Command Injection (Metasploit) [Exploit-DB]

- GNU bash 4.3.11 - Environment Variable dhclient Exploit [Exploit-DB]

- Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]

- OpenVPN 2.2.29 - Remote Exploit (Shellshock) [Exploit-DB]

- Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock) [Exploit-DB]

- Apache mod_cgi - Remote Exploit (Shellshock) [Exploit-DB]

- CUPS Filter - Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]

- QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]

- QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit) [Exploit-DB]

- Advantech Switch - Bash Environment Variable Code Injection (Shellshock) (Metasploit) [Exploit-DB]

- IPFire - Bash Environment Variable Injection (Shellshock) (Metasploit) [Exploit-DB]

- TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock) [Exploit-DB]

- IPFire - Cgi Web Interface Authenticated Bash Environment Variable Code Injection [Exploit-DB]

- Bash CGI - Remote Code Execution (Shellshock) (Metasploit) [Exploit-DB]

- PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock) [Exploit-DB]

- Kemp Load Master 7.1.16 - Multiple Vulnerabilities [Exploit-DB]

- Cisco Unified Communications Manager - Multiple Vulnerabilities [Exploit-DB]

- Qmail SMTP - Bash Environment Variable Injection (Metasploit) [Exploit-DB]

- Qmail SMTP 1.03 - Bash Environment Variable Injection [Exploit-DB]