search
LinkedInGithub
githubEdit

18. Attacking CPI Applications Shellshock

hashtag
1. Vulnerability Overview

hashtag
CVE-2014-6271 - Shellshock

  • Description: A critical vulnerability in Bash that allows arbitrary command execution through manipulated environment variables.

  • Cause: Bash versions up to 4.3 improperly handle function definitions in environment variables.

  • Impact: Can lead to remote code execution in the context of the web server user, often via CGI scripts.

hashtag
2. Enumeration

hashtag
Discover CGI Scripts (Gobuster)

Identify potential vulnerable scripts in the /cgi-bin/ directory.

gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi

hashtag
Verify CGI Script Accessibility (cURL)

Check for an active CGI script that could be vulnerable.

curl -i http://10.129.204.231/cgi-bin/access.cgi

hashtag
3. Exploitation

hashtag
Confirm Vulnerability (cURL)

Inject a malicious function definition into the User-Agent header to read the /etc/passwd file.

hashtag
Execute a Reverse Shell (cURL)

Inject a reverse shell payload into the User-Agent header.

hashtag
Set Up a Netcat Listener

Prepare to catch the reverse shell on port 7777.

hashtag
4. Mitigation

hashtag
Update Bash

Upgrade to a patched Bash version to close the vulnerability.

hashtag
Firewalling

Restrict external access to CGI scripts via firewall rules.

hashtag
Decommission Vulnerable Hosts

If possible, remove or replace outdated systems running vulnerable Bash versions.

hashtag
5. Key Takeaways

  • Shellshock is exploited via environment variables, often targeting CGI scripts.

  • The User-Agent header is a common attack vector for injecting payloads.

  • Updating Bash is the best way to mitigate the vulnerability.

  • Always test only with explicit permission.

  • Replace IP addresses and ports with target-specific information.

hashtag
6. Commands Summary

Previous17. Attacking Tomcat CGINext6. Thick Client Applications

Last updated