ShellShock DHCP Server

2014-11-2000:00:00

SAINT Corporation

download.saintcorporation.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON

Added: 11/20/2014
CVE: CVE-2014-6271
BID: 70103
OSVDB: 112004

Background

Bash is vulnerable to command injection using environment variables. When an application takes user input and uses setenv() a malicious actor is able to execute commands on the target in the security context of the running application. This exploit implements a DHCP server that listens for DHCP Request packets. DHCP Response packets are sent with a payload that will generate a shell script in /tmp/s.sh and execute it. By default the shell script executes a netcat call back shell on the specified port. The payload of the exploit can be modified by changing exploits/s.sh

Limitations

Successful exploitation over DHCP is a race against the real DHCP server on the network. On some affected systems the payload will execute even when the race is lost however the reliability of the exploit will vary. Due to network latency reliability attacking from wireless networks is reduced. It is possible that networking will have to be restarted manually on the client in some cases.