0

Holey Bash Batman! No Really, It Has Holes (CVE-2014-6271)

UPDATED: 09/26/2014 – 01:14 EST – Added vulnerability validation code

This exploit may have bigger holes than even the Bat Cave.  CVE-2014-6271 (Credit to Stephane Chazelas for discovery) was publicly announced yesterday, September, 24th and some articles are already calling this bug a larger security hole than the recent Heartbleed SSL vulnerability.  This is probably because on a scale of 1 to 10 is listed as a 10 because of the impact as well as the ease of use.

In short, this flaw allows the export of shell variables via bash in order to execute arbitrary code.  It affects not only bash but SSH and CGI scripts.  The slightly good news related to SSH is that the session must be authenticated.  The bad news on that is it looks like it may not take much to craft sessions that look authenticated.  Outside of SSH, the CGI script aspect of this vulnerability is probably the biggest concern as it will allow an attacker to craft specific HTTP attacks to exploit the system.

Although I've not seen actual validation of this yet, another vector of attack may be via PHP for anyone using php-fcgid (mod_fcgid) or other wrapping tools that push PHP into a CGI type space.

To underline the urgency of updating and patching this Metasploit already has a functional exploit module for this vulnerability and there is no known work around.  So, at this point (if you haven't already) you should stop reading and start patching.

If you have direct access to the bash shell of the system you can execute the following lines of code to validate if the system is vulnerable and conversely validate whether you have applied the necessary patches.  As of this latest update not all systems have patches available (mainly just major releases of major distributions) and there are already scripts available to exploit this bug.

env X="() { :;} ; echo shellshock" /bin/sh -c "echo completed"
​env X="() { :;} ; echo shellshock" `which bash` -c "echo completed"

Good information can be found at the following sites:

http://seclists.org/oss-sec/2014/q3/649
https://bugzilla.redhat.com/show_bug.cgi?id=1141597
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Torry Crass

Leave a Comment