Abstract
This paper presents a step-by-step demonstration for the exploitation of CVE-2014-6271, affecting the ‘Bourne Again Shell’ (Bash). By design, Bash cannot be accessed via a web server; yet a flaw in its source code provides attackers the ability of Arbitrary Code Execution (ACE) over a Common Gateway Interface (CGI). In this paper, we demonstrate how Shellshock vulnerability can be exploited, as well as outlining mitigation strategies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
“Bash (Unix shell),” Wikipedia. 17-Apr-2017
Tudor Enache: Shellshock Vulnerability, OWASP (The Open Web Application Security Project) (2014)
Denning, D.E.: Toward more secure software. Commun. ACM 58(4), 24–26 (2015)
“Shellshock (software bug),” Wikipedia. 11-Mar-2017
CGI - Common Gateway Interface. [Online]. Available: https://www.w3.org/CGI/. Accessed 20 Apr 2017
Gallagher, S.: Bug in Bash shell creates big security hole on anything with *nix in it [Updated], Ars Technica, 24-Sep-2014. [Online]. https://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/. Accessed: 20 Apr 2017
Digital Alert Systems Home Page. [Online]. http://www.digitalalertsystems.com/. Accessed 20 Apr 2017
Full Disclosure: Re: critical bash vulnerability CVE-2014-6271. http://seclists.org/fulldisclosure/2014/Sep/107. Accessed 20 Apr 2017
Build software better, together, GitHub. [Online]. https://github.com. Accessed: 20-Apr-2017
“gry/shellshock-scanner,” GitHub. [Online]. Available: https://github.com/gry/shellshock-scanner. Accessed 20 Apr 2017
“nccgroup/shocker,” GitHub. [Online]. https://github.com/nccgroup/shocker. Accessed 20 Apr 2017
“OpenSSH.” [Online]. https://www.openssh.com/. Accessed 20 Apr 2017
Ylonen, T., Lonvick, C.: The Secure Shell (SSH) transport layer protocol. [Online]. https://tools.ietf.org/html/rfc4253. Accessed 20 Apr 2017
Shellshock OpenSSH restricted shell RCE/PE Proof of Concept—Zdziarski’s Blog of Things
[POC] [Shellshock] Bash SSHD PreAuth Remote Exploit|Bazz’s Code Developments. [Online]. http://blogs.umb.edu/michaelbazzinott001/2014/09/26/poc-shellshock-bash-sshd-preauth-remote-exploit/. Accessed 20 Apr 2017
Dynamic Host Configuration Protocol. [Online]. Available: https://www.ietf.org/rfc/rfc2131.txt. Accessed 20 Apr 2017
Bull, R.L.: Layer 2 network security in virtualized environments DHCP Attacks (2014)
davek, “Shellshock DHCP RCE Proof of Concept,” TrustedSec - Information Security, 25 Sep 2014
Such, J.M., Vidler, J., Seabrook, T., Rashid, A.: Cyber security controls effectiveness: a qualitative assessment of cyber essentials. Lancaster University (2015)
Penetration Testing Software, Pen Testing Security, Metasploit. [Online]. https://www.metasploit.com/. Accessed 20 Apr 2017
rapid7/metasploit-framework, GitHub. [Online]. https://github.com/rapid7/metasploit-framework. Accessed 20 Apr 2017
Postel, J.: Simple Mail Transfer Protocol. [Online]. https://tools.ietf.org/html/rfc821. Accessed 20 Apr 2017
“Shellshock–Related Attacks Continue, Targets SMTP Servers,” TrendLabs Security Intelligence Blog, 29-Oct-2014. [Online]. http://blog.trendmicro.com/trendlabs-security-intelligence/shellshock-related-attacks-continue-targets-smtp-servers/. Accessed 20 Apr 2017
“‘qmail is a vector for CVE-2014-6271 (bash “shellshock”)’—MARC.” [Online]. http://marc.info/?l=qmail&m=141183309314366&w=2#0. Accessed 20 Apr 2017
Ragan, S.: Report: Criminals use Shellshock against mail servers to build botnet,” CSO Online, 27-Oct-2014. [Online]. http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html. Accessed 20 Apr 2017
Guy, Shellshock on IBM HMC
“HMC Bash Shellshock vulnerability: What you need to know|Brian Smith’s Linux/AIX / UNIX blog”
“IBM Security Bulletin: Vulnerabilities in Bash affect Power Hardware Management Console (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) - United States,” 26 Aug 2015. [Online]. http://www.ibm.com/support/docview.wss?uid=nas8N1020272. Accessed 20 Apr 2017
Delamore, B., Ko, R.K.L.: A global, empirical analysis of the shellshock vulnerability in web applications, pp. 1129–1135
“ShellShock: All you need to know about the Bash Bug vulnerability,” Symantec Security Response. [Online]. http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability. Accessed 20 Apr 2017
Smith, S.W., Erickson, J.S.: Never mind pearl harbor-what about a cyber love canal? IEEE Secur. Priv. 13(2), 94–98 (2015)
Frey, S. et al.: It bends but would it break? Topological analysis of BGP infrastructures in Europe. In: Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, 2016, pp. 423–438
Cook, J.: Romanian Hackers Used The Shellshock Bug To Hack Yahoo’s Servers, Business Insider. [Online]. http://www.businessinsider.com/romanian-hackers-allegedly-used-the-shellshock-bug-to-hack-yahoos-servers-2014-10. Accessed 20 Apr 2017
Botnets are making the most of the Shellshock bug|Blue Coat. [Online]. https://www.bluecoat.com/security-blog/2014-09-29/botnets-are-making-most-shellshock-bug. Accessed 20 Apr 2017
GNU Bash CVE-2014-7169 Incomplete Fix Remote Code Execution Vulnerability. [Online]. http://www.securityfocus.com/bid/70137. Accessed 20 Apr 2017
“GNU Bash CVE-2014-7186 Local Memory Corruption Vulnerability.” [Online]. http://www.securityfocus.com/bid/70152. Accessed 20 Apr 2017
GNU Bash CVE-2014-7187 Local Memory Corruption Vulnerability. [Online]. http://www.securityfocus.com/bid/70154. Accessed 20 Apr 2017
GNU Bash CVE-2014-6277 Incomplete Fix Remote Code Execution Vulnerability. [Online]. http://www.securityfocus.com/bid/70165. Accessed 20 Apr 2017
GNU Bash CVE-2014-6278 Incomplete Fix Remote Code Execution Vulnerability. [Online]. http://www.securityfocus.com/bid/70166. Accessed 20 Apr 2017
“Linux.Bashlet|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2014-093018-1846-99. Accessed 20 Apr 2017
“Linux.Gafgyt|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2014-100222-5658-99. Accessed 20 Apr 2017
“Linux.Powbot|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2014-092910-3943-99. Accessed: 20-Apr-2017
“Perl.Shellbot|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2014-093018-5028-99. Accessed 20 Apr 2017
“Backdoor.Trojan|Symantec.” [Online]. Available: https://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99. Accessed 20 Apr 2017
“Downloader|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99. Accessed 20-Apr-2017
Ahmad, M.A., Woodhead, S.: Containment of fast scanning computer network worms. In: International Conference on Internet and Distributed Computing Systems, pp. 235–247 (2015)
“Pentester Lab: CVE-2014-6271: ShellShock ~ VulnHub.” [Online]. https://www.vulnhub.com/entry/pentester-lab-cve-2014-6271-shellshock,104/. Accessed 20 Apr 2017
Hatwar, S.V., Chavan, R.K.: Cloud computing security aspects, vulnerabilities and countermeasures. Int. J. Comput. Appl. 119(17) (2015)
D. of D. address = Russell O. scheme = AGLSTERMS. AglsAgent; corporateName = Australian Signals Directorate, “Strategies to Mitigate Cyber Security Incidents: Australian Signals Directorate (ASD).” [Online]. https://www.asd.gov.au/infosec/mitigationstrategies.htm. Accessed 21 Apr 2017
Mironov, I., Stephens-Davidowitz, N.: Cryptographic reverse firewalls. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 657–686 (2015)
Mooi, R., Botha, R.A.: Prerequisites for building a computer security incident response capability. Inf. Secur. S Afr 2015, 1–8 (2015)
Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: detecting and exploiting command injection flaws. Dep. Digit. Syst. Univ. Piraeus BlackHat Eur. Nov, pp. 10–13 (2015)
“Basic Shellshock Exploitation—Knapsy’s brain dump.” [Online]. http://blog.knapsy.com/blog/2014/10/07/basic-shellshock-exploitation/. Accessed 20 Apr 2017
“Debian—Security Information—DSA-3032-1 bash.” [Online]. https://www.debian.org/security/2014/dsa-3032. Accessed 20 Apr 2017
“USN-2362-1: Bash vulnerability|Ubuntu.” [Online]. https://www.ubuntu.com/usn/usn-2362-1/. Accessed 20 Apr 2017
“Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)—Red Hat Customer Portal.” [Online]. https://access.redhat.com/articles/1200223. Accessed 20 Apr 2017
Hughes, J.: CentOS Now: Critical Bash updates for CentOS-5, CentOS-6, and CentOS-7, CentOS Now, 24 Sep 2014
“CVE-2014-6271|SUSE.” [Online]. https://www.suse.com/security/cve/CVE-2014-6271/. Accessed 20 Apr 2017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Shetty, R., Choo, KK.R., Kaufman, R. (2018). Shellshock Vulnerability Exploitation and Mitigation: A Demonstration. In: Abawajy, J., Choo, KK., Islam, R. (eds) International Conference on Applications and Techniques in Cyber Security and Intelligence. ATCI 2017. Advances in Intelligent Systems and Computing, vol 580. Edizioni della Normale, Cham. https://doi.org/10.1007/978-3-319-67071-3_40
Download citation
DOI: https://doi.org/10.1007/978-3-319-67071-3_40
Published:
Publisher Name: Edizioni della Normale, Cham
Print ISBN: 978-3-319-67070-6
Online ISBN: 978-3-319-67071-3
eBook Packages: EngineeringEngineering (R0)