Shell shock
CVE Number: CVE-2014-7169
Description:
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271
Now what it says that if you have vulnerable version of the bash on your system. Then your system can get exploited by any of the following services
For an eg: Assume that some environment variable is configured to be accepted by the SSHD.
~>export LC_PAPER='() { :;}; echo you are vulnerable'
Now try to do ssh to remote machine
~>ssh abc@127.0.0.1 'date'
you are vulnerable
Mon Apr 6 13:34:17 UTC 2015
Does it means you are really vulnerable? No unless you have restricted shell or added some mechanism to restrict it, in that case attacker can exploit to run the command beyond its authorized limit.
The bash itself does NOT crosses the privilege as it can be dispalyed by running the below command from a local user bash shell.
env val='() { :;}; echo `cat ~/onlyroot_access_file`' bash -c "`sudo mysudocommand`"
CVE Number: CVE-2014-7169
Description:
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271
Now what it says that if you have vulnerable version of the bash on your system. Then your system can get exploited by any of the following services
- - Openssh: SSH allows environment variable to pass from client to server using SendEnv (on client side) and AcceptEnv (on server side).
For an eg: Assume that some environment variable is configured to be accepted by the SSHD.
~>export LC_PAPER='() { :;}; echo you are vulnerable'
Now try to do ssh to remote machine
~>ssh abc@127.0.0.1 'date'
you are vulnerable
Mon Apr 6 13:34:17 UTC 2015
Does it means you are really vulnerable? No unless you have restricted shell or added some mechanism to restrict it, in that case attacker can exploit to run the command beyond its authorized limit.
- - cgi used Apache HTTP Server: On similar lines as cgi uses bash to parse the environment variable it also become vulnerable to it.
- - DHCP Clinet : This is a higher security risk. If your DHCP server is compromised then some one can inject a environment variable to DHCP client at boot time. As in boot time DHCP client runs in higher privilege mode an attacker gets the ability to execute the command in higher escalated privilage environment.
The bash itself does NOT crosses the privilege as it can be dispalyed by running the below command from a local user bash shell.
env val='() { :;}; echo `cat ~/onlyroot_access_file`' bash -c "`sudo mysudocommand`"
How to check whether you are vulnerable or not? Run the below command
env val='() { :;}; echo you are vulnerable' bash -c "echo abc"
