Skip to main content
SpringerLink
Log in

Shellshock Vulnerability Exploitation and Mitigation: A Demonstration

  • Conference paper
  • First Online:
International Conference on Applications and Techniques in Cyber Security and Intelligence (ATCI 2017)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 580))

Abstract

This paper presents a step-by-step demonstration for the exploitation of CVE-2014-6271, affecting the ‘Bourne Again Shell’ (Bash). By design, Bash cannot be accessed via a web server; yet a flaw in its source code provides attackers the ability of Arbitrary Code Execution (ACE) over a Common Gateway Interface (CGI). In this paper, we demonstrate how Shellshock vulnerability can be exploited, as well as outlining mitigation strategies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. “Bash (Unix shell),” Wikipedia. 17-Apr-2017

    Google Scholar 

  2. Tudor Enache: Shellshock Vulnerability, OWASP (The Open Web Application Security Project) (2014)

    Google Scholar 

  3. Denning, D.E.: Toward more secure software. Commun. ACM 58(4), 24–26 (2015)

    Article  MathSciNet  Google Scholar 

  4. “Shellshock (software bug),” Wikipedia. 11-Mar-2017

    Google Scholar 

  5. CGI - Common Gateway Interface. [Online]. Available: https://www.w3.org/CGI/. Accessed 20 Apr 2017

  6. Gallagher, S.: Bug in Bash shell creates big security hole on anything with *nix in it [Updated], Ars Technica, 24-Sep-2014. [Online]. https://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/. Accessed: 20 Apr 2017

  7. Digital Alert Systems Home Page. [Online]. http://www.digitalalertsystems.com/. Accessed 20 Apr 2017

  8. Full Disclosure: Re: critical bash vulnerability CVE-2014-6271. http://seclists.org/fulldisclosure/2014/Sep/107. Accessed 20 Apr 2017

  9. Build software better, together, GitHub. [Online]. https://github.com. Accessed: 20-Apr-2017

  10. “gry/shellshock-scanner,” GitHub. [Online]. Available: https://github.com/gry/shellshock-scanner. Accessed 20 Apr 2017

  11. “nccgroup/shocker,” GitHub. [Online]. https://github.com/nccgroup/shocker. Accessed 20 Apr 2017

  12. “OpenSSH.” [Online]. https://www.openssh.com/. Accessed 20 Apr 2017

  13. Ylonen, T., Lonvick, C.: The Secure Shell (SSH) transport layer protocol. [Online]. https://tools.ietf.org/html/rfc4253. Accessed 20 Apr 2017

  14. Shellshock OpenSSH restricted shell RCE/PE Proof of Concept—Zdziarski’s Blog of Things

    Google Scholar 

  15. [POC] [Shellshock] Bash SSHD PreAuth Remote Exploit|Bazz’s Code Developments. [Online]. http://blogs.umb.edu/michaelbazzinott001/2014/09/26/poc-shellshock-bash-sshd-preauth-remote-exploit/. Accessed 20 Apr 2017

  16. Dynamic Host Configuration Protocol. [Online]. Available: https://www.ietf.org/rfc/rfc2131.txt. Accessed 20 Apr 2017

  17. Bull, R.L.: Layer 2 network security in virtualized environments DHCP Attacks (2014)

    Google Scholar 

  18. davek, “Shellshock DHCP RCE Proof of Concept,” TrustedSec - Information Security, 25 Sep 2014

    Google Scholar 

  19. Such, J.M., Vidler, J., Seabrook, T., Rashid, A.: Cyber security controls effectiveness: a qualitative assessment of cyber essentials. Lancaster University (2015)

    Google Scholar 

  20. Penetration Testing Software, Pen Testing Security, Metasploit. [Online]. https://www.metasploit.com/. Accessed 20 Apr 2017

  21. rapid7/metasploit-framework, GitHub. [Online]. https://github.com/rapid7/metasploit-framework. Accessed 20 Apr 2017

  22. Postel, J.: Simple Mail Transfer Protocol. [Online]. https://tools.ietf.org/html/rfc821. Accessed 20 Apr 2017

  23. “Shellshock–Related Attacks Continue, Targets SMTP Servers,” TrendLabs Security Intelligence Blog, 29-Oct-2014. [Online]. http://blog.trendmicro.com/trendlabs-security-intelligence/shellshock-related-attacks-continue-targets-smtp-servers/. Accessed 20 Apr 2017

  24. “‘qmail is a vector for CVE-2014-6271 (bash “shellshock”)’—MARC.” [Online]. http://marc.info/?l=qmail&m=141183309314366&w=2#0. Accessed 20 Apr 2017

  25. Ragan, S.: Report: Criminals use Shellshock against mail servers to build botnet,” CSO Online, 27-Oct-2014. [Online]. http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html. Accessed 20 Apr 2017

  26. Guy, Shellshock on IBM HMC

    Google Scholar 

  27. “HMC Bash Shellshock vulnerability: What you need to know|Brian Smith’s Linux/AIX / UNIX blog”

    Google Scholar 

  28. “IBM Security Bulletin: Vulnerabilities in Bash affect Power Hardware Management Console (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) - United States,” 26 Aug 2015. [Online]. http://www.ibm.com/support/docview.wss?uid=nas8N1020272. Accessed 20 Apr 2017

  29. Delamore, B., Ko, R.K.L.: A global, empirical analysis of the shellshock vulnerability in web applications, pp. 1129–1135

    Google Scholar 

  30. “ShellShock: All you need to know about the Bash Bug vulnerability,” Symantec Security Response. [Online]. http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability. Accessed 20 Apr 2017

  31. Smith, S.W., Erickson, J.S.: Never mind pearl harbor-what about a cyber love canal? IEEE Secur. Priv. 13(2), 94–98 (2015)

    Article  Google Scholar 

  32. Frey, S. et al.: It bends but would it break? Topological analysis of BGP infrastructures in Europe. In: Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, 2016, pp. 423–438

    Google Scholar 

  33. Cook, J.: Romanian Hackers Used The Shellshock Bug To Hack Yahoo’s Servers, Business Insider. [Online]. http://www.businessinsider.com/romanian-hackers-allegedly-used-the-shellshock-bug-to-hack-yahoos-servers-2014-10. Accessed 20 Apr 2017

  34. Botnets are making the most of the Shellshock bug|Blue Coat. [Online]. https://www.bluecoat.com/security-blog/2014-09-29/botnets-are-making-most-shellshock-bug. Accessed 20 Apr 2017

  35. GNU Bash CVE-2014-7169 Incomplete Fix Remote Code Execution Vulnerability. [Online]. http://www.securityfocus.com/bid/70137. Accessed 20 Apr 2017

  36. “GNU Bash CVE-2014-7186 Local Memory Corruption Vulnerability.” [Online]. http://www.securityfocus.com/bid/70152. Accessed 20 Apr 2017

  37. GNU Bash CVE-2014-7187 Local Memory Corruption Vulnerability. [Online]. http://www.securityfocus.com/bid/70154. Accessed 20 Apr 2017

  38. GNU Bash CVE-2014-6277 Incomplete Fix Remote Code Execution Vulnerability. [Online]. http://www.securityfocus.com/bid/70165. Accessed 20 Apr 2017

  39. GNU Bash CVE-2014-6278 Incomplete Fix Remote Code Execution Vulnerability. [Online]. http://www.securityfocus.com/bid/70166. Accessed 20 Apr 2017

  40. “Linux.Bashlet|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2014-093018-1846-99. Accessed 20 Apr 2017

  41. “Linux.Gafgyt|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2014-100222-5658-99. Accessed 20 Apr 2017

  42. “Linux.Powbot|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2014-092910-3943-99. Accessed: 20-Apr-2017

  43. “Perl.Shellbot|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2014-093018-5028-99. Accessed 20 Apr 2017

  44. “Backdoor.Trojan|Symantec.” [Online]. Available: https://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99. Accessed 20 Apr 2017

  45. “Downloader|Symantec.” [Online]. https://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99. Accessed 20-Apr-2017

  46. Ahmad, M.A., Woodhead, S.: Containment of fast scanning computer network worms. In: International Conference on Internet and Distributed Computing Systems, pp. 235–247 (2015)

    Google Scholar 

  47. “Pentester Lab: CVE-2014-6271: ShellShock ~ VulnHub.” [Online]. https://www.vulnhub.com/entry/pentester-lab-cve-2014-6271-shellshock,104/. Accessed 20 Apr 2017

  48. Hatwar, S.V., Chavan, R.K.: Cloud computing security aspects, vulnerabilities and countermeasures. Int. J. Comput. Appl. 119(17) (2015)

    Google Scholar 

  49. D. of D. address = Russell O. scheme = AGLSTERMS. AglsAgent; corporateName = Australian Signals Directorate, “Strategies to Mitigate Cyber Security Incidents: Australian Signals Directorate (ASD).” [Online]. https://www.asd.gov.au/infosec/mitigationstrategies.htm. Accessed 21 Apr 2017

  50. Mironov, I., Stephens-Davidowitz, N.: Cryptographic reverse firewalls. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 657–686 (2015)

    Google Scholar 

  51. Mooi, R., Botha, R.A.: Prerequisites for building a computer security incident response capability. Inf. Secur. S Afr 2015, 1–8 (2015)

    Google Scholar 

  52. Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: detecting and exploiting command injection flaws. Dep. Digit. Syst. Univ. Piraeus BlackHat Eur. Nov, pp. 10–13 (2015)

    Google Scholar 

  53. “Basic Shellshock Exploitation—Knapsy’s brain dump.” [Online]. http://blog.knapsy.com/blog/2014/10/07/basic-shellshock-exploitation/. Accessed 20 Apr 2017

  54. “Debian—Security Information—DSA-3032-1 bash.” [Online]. https://www.debian.org/security/2014/dsa-3032. Accessed 20 Apr 2017

  55. “USN-2362-1: Bash vulnerability|Ubuntu.” [Online]. https://www.ubuntu.com/usn/usn-2362-1/. Accessed 20 Apr 2017

  56. “Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)—Red Hat Customer Portal.” [Online]. https://access.redhat.com/articles/1200223. Accessed 20 Apr 2017

  57. Hughes, J.: CentOS Now: Critical Bash updates for CentOS-5, CentOS-6, and CentOS-7, CentOS Now, 24 Sep 2014

    Google Scholar 

  58. “CVE-2014-6271|SUSE.” [Online]. https://www.suse.com/security/cve/CVE-2014-6271/. Accessed 20 Apr 2017

Download references

Author information

Authors and Affiliations

  1. Department of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, TX, 78249, USA

    Rushank Shetty, Kim-Kwang Raymond Choo & Robert Kaufman

Authors
  1. Rushank Shetty
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kim-Kwang Raymond Choo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert Kaufman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kim-Kwang Raymond Choo .

Editor information

Editors and Affiliations

  1. Faculty of Science, Engineering and Built Environment, Deakin University, Geelong, Victoria, Australia

    Jemal Abawajy

  2. Department of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, Texas, USA

    Kim-Kwang Raymond Choo

  3. School of Computing and Mathematics, Charles Sturt University, Albury, New South Wales, Australia

    Rafiqul Islam

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Cite this paper

Shetty, R., Choo, KK.R., Kaufman, R. (2018). Shellshock Vulnerability Exploitation and Mitigation: A Demonstration. In: Abawajy, J., Choo, KK., Islam, R. (eds) International Conference on Applications and Techniques in Cyber Security and Intelligence. ATCI 2017. Advances in Intelligent Systems and Computing, vol 580. Edizioni della Normale, Cham. https://doi.org/10.1007/978-3-319-67071-3_40

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-67071-3_40

  • Published:

  • Publisher Name: Edizioni della Normale, Cham

  • Print ISBN: 978-3-319-67070-6

  • Online ISBN: 978-3-319-67071-3

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation