Command Execution Vulnerability in Bash

Posted by on in Vulnerabilities
  • Font size: Larger Smaller
  • Hits: 4879
  • Comments
  • Print

Introduction

Over the past weeks there has been a global hype over a number of vulnerabilities affecting the GNU Bash application. These vulnerabilities are classified under CWE-78 (OS Command Injection) which describes vulnerabilities that allow the construction of OS commands using externally controlled parameters that are not properly filtered against special elements, which can modify the intended purpose of the original command. There is a large number of systems affected by this vulnerability such as most Linux distributions, OSX and many Unix variants all of which use Bash as their default shell.

The recent vulnerabilities affecting GNU Bash (under the Shellshock codename) are:

The CVE Score assigned to this vulnerability is 10, which is the highest score possible for CVE vulnerabilities. The resulting score takes into consideration a number of metrics that consider all possible attack vectors of this vulnerability. In some limited cases, this vulnerability can be triggered remotely by systems that make use of the application, such as CGI Bash scripts.

Vulnerability Description

This vulnerability exists as part of a Bash feature that allows you to define custom functions during the initialization of shell variables. If an environment variable begins with the following string "() {" then it is interpreted as a function definition. The definition then gets parsed by Bash which treats the environment variable as a function definition without checking whether or not the string contains any special elements (and specifically the semicolon character) which could trigger the execution of an additional command.


CGI And Bash

Some web servers or applications make use of CGI scripts to execute a number of algorithms necessary for their operation. Some of these CGI scripts are set to execute through the Bash application by specifying the following header at the beginning of the script file:

#!/bin/bash

If you wish to locate all files in your web root, that are potentially affected by this vulnerability you can execute the following command:

grep -IHErn "#\!/bin/bash|#\!/usr/bin/env bash" /path/to/webroot

The command will recursively search for all text files containing the strings "#!/bin/bash" and "#!/usr/bin/env bash" which could potentially execute the bash application over CGI.

CGI Attack Vectors

During a number of tests on various platforms we have confirmed that the vulnerability can be triggered through two individual locations in an HTTP request.

  1. Through any header field value
  2. Through the request method protocol version

For example, consider the following request to a CGI script:

GET /cgi-bin/script.sh HTTP/1.1 
Host: localhost
User-Agent: Mozilla/5.0
Accept: text/html

The following marked locations show the attack vectors that exist in a request:

GET /cgi-bin/script.sh <attack> 
Host: <attack>
User-Agent: <attack>
Accept: <attack>
any: <attack>

Other Remote Attack Vectors

A number of other attack vectors that can also affect systems remotely have been reported. These involve software applications that explicitly or intermediary execute the Bash application. These are:

  • OpenSSH ForceCommand directive for breaking out of restricted shell access (link)
  • gitolite (link)
  • PureFTPD (link)
  • And many other (link)

 

Defending against CGI Attack Vectors

In order to defend against these attack vectors it is highly suggested that you update Bash to its latest version. However, you may also employ the following Modsecurity rules that are capable of blocking the remote command execution vulnerability through environment variable function definitions. These rules filter the protocol version and request header field values and block any requests that begin with the first few characters of this attack.

SecRule REQUEST_PROTOCOL "^\(\) {" "phase:2,deny,id:1000005,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
Last modified on
Rate this blog entry:
0
blog comments powered by Disqus

Silensec Cyprus HQ

Silensec Africa

Feel free to contact us if you have any problems.

Silensec UK

Feel free to contact us if you have any problems.