Thứ Năm, 25 tháng 9, 2014

CVE-2014-6271

A fun Bash bug: it doesn’t stop interpreting a variable at the end of a functions, and is, therefore, susceptible to arbitrary command execution. If you’re using CGIs, this becomes RCE.
For this example, I’ve chosen to abuse the user-agent setting:
Great, we get a page. Now lets go looking for a CGI script… and as it happens, we’ve found one, poc.cgi:
Requesting this CGI gives a nice picture of the environment:
Now, using the Bash bug, and the handy flag for setting the user-agent with curl, we do the following evil thing:
Notice that I’ve used a path that is owned by the webserver to avoid permission issues. Also, in quick testing, anything that wrote to STDOUT caused header errors. I even tried sending the content type in the user-agent definition. Back to checking on the damage that we have done:
So there it is, RCE for a Bash CGI script.

Update 1:

Getting around the STDOUT issue wrecking headers is easier than I thought; cat the file and redirect the output, then fetch the file:

and the fetch:

 Update 2:

Seeing some slick reverse shells now on pastebin. This is going to be nasty, especially on embedded systems that aren’t using busybox.

Update 3:

Talked with @loganattwood OOB about timing attacks against DHCP lease expiry & passing shellcode via DHCP options. Nice privilege escalation scenario.