Uploaded byNatureCreature1
20 views

Shellshock

This document discusses exploiting the Shellshock Bash vulnerability (CVE-2014-6271) through a CGI script. It explains that while Bash is not usually exposed directly through a web application, it can be indirectly exposed through a Common Gateway Interface (CGI) script. The vulnerability allows defining Bash functions through environment variables passed to the CGI script from the web server, enabling arbitrary commands to be executed if not sanitized properly. Fingerprinting the application can help identify any CGI scripts that are vulnerable.

Embed presentation

Download to read offline
CVE-2014-6271/Shellshock This exercise covers the exploitation of a Bash vulnerability through a CGI.  FREE  EASY Dif�culty  4082 Completed this exercise Online labs details Video Introduction This course details the exploitation of the vulnerability CVE-2014-6271. This vulnerability impacts the Bourne Again Shell "Bash". Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface "CGI". Fingerprinting By visiting the application with a proxy (Burp Suite or OWASP Zap), we can detect that multiple URL are accessed when the page is loaded: To exploit "Shellshock", we need to �nd a way to "talk" to Bash. This implies �nding a CGI that will use Bash. CGIs commonly use Python or Perl but it's not uncommon to �nd (on old servers), CGI written in Shell or even C. How CGIs work? When you call a CGI, the web server (Apache here) will start a new process and run the CGI. Here it will start a Bash process and run the CGI script. Apache needs to pass information to the CGI script. To do so, it uses environment variables. Environment variables are available inside the CGI script. It allows Apache to easily pass every headers (amongst other information) to the CGI. If you have a HTTP header named Blah in your request, you will have an environment variable named HTTP_BLAH available in your CGI. The vulnerability Here, we are going to focus on the �rst version of the vulnerability but many more vulnerabilities in the same subpart of Bash have been found since: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187... The source of the issue is that Bash can have internal function declaration in its environment variable. The �rst version of the vulnerability is related to the ability to run arbitrary commands after a function declaration.  You can quickly test this by replacing the call to `uptime` by a call to `env` in the CGI. Then if you call this script with arbitrary header, you should see them in the page. PentesterLab: Learn Web App Pentesting! https://pentesterlab.com/exercises/cve-2014-62... 1 of 2 2020-04-02 12:11
PentesterLab: Learn Web App Pentesting! https://pentesterlab.com/exercises/cve-2014-62... 2 of 2 2020-04-02 12:11

More Related Content

PPTX
Building RESTful APIs w/ Grape
byDaniel Doubrovkine
 
PDF
Scale your PHP application with Elastic Beanstalk - CloudParty Genova
byCorley S.r.l.
 
PDF
Serverless in Production, an experience report (cloudXchange)
byYan Cui
 
PDF
Serverless in production, an experience report (LNUG)
byYan Cui
 
PDF
MongoDB World 2018: Tutorial - Got Dibs? Building a Real-Time Bidding App wit...
byMongoDB
 
KEY
Integration Testing With Cucumber How To Test Anything J A O O 2009
byDr Nic Williams
 
PDF
Dockerize node.js application
bySeokjun Kim
 
PPTX
Building an API using Grape
byvisnu priya
 
Building RESTful APIs w/ Grape
byDaniel Doubrovkine
 
Scale your PHP application with Elastic Beanstalk - CloudParty Genova
byCorley S.r.l.
 
Serverless in Production, an experience report (cloudXchange)
byYan Cui
 
Serverless in production, an experience report (LNUG)
byYan Cui
 
MongoDB World 2018: Tutorial - Got Dibs? Building a Real-Time Bidding App wit...
byMongoDB
 
Integration Testing With Cucumber How To Test Anything J A O O 2009
byDr Nic Williams
 
Dockerize node.js application
bySeokjun Kim
 
Building an API using Grape
byvisnu priya
 

What's hot

PDF
End to-end testing from rookie to pro
byDomenico Gemoli
 
PDF
Command Box ColdFusion Package Manager, Automation
byColdFusionConference
 
PDF
Automated acceptance test
byBryan Liu
 
PDF
Docker Docker Docker Chef
bySean OMeara
 
PDF
Lessons learned from a huge Rails app - RubyConf Brasil 2019
byNahuel Garbezza
 
PDF
stackconf 2020 | Enterprise CI/CD Integration Testing Environments Done Right...
byNETWAYS
 
PDF
OSCamp 2019 | #3 Ansible: Automated Tests of Ansible code with GitLab, Vagran...
byNETWAYS
 
PDF
Deploy made easy (even on Friday)
byRiccardo Bini
 
PDF
Increase eZ Power With EzCoreExtraBundle (presented by Jérôme Vieilledent at ...
byeZ Systems
 
PDF
Docker jako prostředí pro automatizaci testů
byRadim Daniel Pánek
 
PDF
How Symfony Changed My Life
byMatthias Noback
 
ODP
ATDD with Behat and Selenium (LDNSE6)
byShashikant Jagtap
 
PDF
Laravel Forge: Hello World to Hello Production
byJoe Ferguson
 
PDF
Concurrent Ruby Application Servers
byLin Jen-Shin
 
PDF
Streamlining API with Swagger.io
byVictor Augusteo
 
PDF
Hand Crafted Artisanal Chef Resources
bySean OMeara
 
PDF
Dependency Injection
byColdFusionConference
 
PDF
Automate Thyself
byOrtus Solutions, Corp
 
PDF
Ruby on rails integration testing with minitest and capybara
byAndolasoft Inc
 
PDF
One commit, one release. Continuously delivering a Symfony project.
byJavier López
 
End to-end testing from rookie to pro
byDomenico Gemoli
 
Command Box ColdFusion Package Manager, Automation
byColdFusionConference
 
Automated acceptance test
byBryan Liu
 
Docker Docker Docker Chef
bySean OMeara
 
Lessons learned from a huge Rails app - RubyConf Brasil 2019
byNahuel Garbezza
 
stackconf 2020 | Enterprise CI/CD Integration Testing Environments Done Right...
byNETWAYS
 
OSCamp 2019 | #3 Ansible: Automated Tests of Ansible code with GitLab, Vagran...
byNETWAYS
 
Deploy made easy (even on Friday)
byRiccardo Bini
 
Increase eZ Power With EzCoreExtraBundle (presented by Jérôme Vieilledent at ...
byeZ Systems
 
Docker jako prostředí pro automatizaci testů
byRadim Daniel Pánek
 
How Symfony Changed My Life
byMatthias Noback
 
ATDD with Behat and Selenium (LDNSE6)
byShashikant Jagtap
 
Laravel Forge: Hello World to Hello Production
byJoe Ferguson
 
Concurrent Ruby Application Servers
byLin Jen-Shin
 
Streamlining API with Swagger.io
byVictor Augusteo
 
Hand Crafted Artisanal Chef Resources
bySean OMeara
 
Dependency Injection
byColdFusionConference
 
Automate Thyself
byOrtus Solutions, Corp
 
Ruby on rails integration testing with minitest and capybara
byAndolasoft Inc
 
One commit, one release. Continuously delivering a Symfony project.
byJavier López
 

Similar to Shellshock

PDF
Bash Code-Injection Briefing
byAvirot Mitamura
 
PPTX
Shellshock- from bug towards vulnerability
byUT, San Antonio
 
PDF
ShellShock (Software BASH Bug)
byViSolve, Inc.
 
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
byEC-Council
 
PDF
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
byAndrea Draghetti
 
DOCX
Article on shellshock
byKurapati Vishwak
 
PDF
Shellshock - A Software Bug
byvwchu
 
PPTX
The Shellshocker
bySharath Unni
 
PDF
Web backdoors attacks, evasion, detection
byn|u - The Open Security Community
 
PPTX
document.pptx
byjosephLak
 
PPTX
Pentest Expectations
byIhor Uzhvenko
 
ODT
Kioptrix 2014 5
byJayesh Patel
 
PDF
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
byDerek Callaway
 
PDF
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
PDF
Php vulnerability presentation
bySqa Enthusiast
 
PDF
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
PDF
LasCon 2014 DevOoops
byChris Gates
 
PPT
Securing Your Webserver By Pradeep Sharma
byOSSCube
 
PDF
PHP SuperGlobals - Supersized Trouble
byImperva
 
DOCX
The Bash Bug explained !
byAhmed Banafa
 
Bash Code-Injection Briefing
byAvirot Mitamura
 
Shellshock- from bug towards vulnerability
byUT, San Antonio
 
ShellShock (Software BASH Bug)
byViSolve, Inc.
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
byEC-Council
 
[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...
byAndrea Draghetti
 
Article on shellshock
byKurapati Vishwak
 
Shellshock - A Software Bug
byvwchu
 
The Shellshocker
bySharath Unni
 
Web backdoors attacks, evasion, detection
byn|u - The Open Security Community
 
document.pptx
byjosephLak
 
Pentest Expectations
byIhor Uzhvenko
 
Kioptrix 2014 5
byJayesh Patel
 
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
byDerek Callaway
 
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
Php vulnerability presentation
bySqa Enthusiast
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
LasCon 2014 DevOoops
byChris Gates
 
Securing Your Webserver By Pradeep Sharma
byOSSCube
 
PHP SuperGlobals - Supersized Trouble
byImperva
 
The Bash Bug explained !
byAhmed Banafa
 

Recently uploaded

PPTX
Spectrofluorometery one of the analytical technique
bySavitribai Phule Pune University
 
PPTX
Prenatal Development of Cranium, Jaw and Face
byHarshita Dhanrajani
 
PPTX
PixelX : Think Design Experience powerpoint presentation
byVinaySiddha
 
PPTX
605456209-week-6-ppt-pagbasa.pptxpowerpointpresentation
byDecerrieMerabite
 
PDF
Library Pride Support: Supporting LGBTQIA+ Advocacy at Maynooth University Li...
byCONUL Conference
 
PPTX
Cardiovascular System or The Details of Heart.pptx
byAshish Umale
 
PDF
A predictive coding framework for rapid neural dynamics during sentence-level...
byMan_Ebook
 
PPTX
From Vision to Action: UCC Library’s Digital & Information Literacy Framework...
byCONUL Conference
 
PPTX
Changing hearts at DCU Library: Confronting prejudice through The Human Libra...
byCONUL Conference
 
PPTX
LEARNING PART 1. SHILPA HOTAKAR PSYCHOLOGY NOTES pptx
bySHILPA HOTAKAR
 
PDF
Homebound (2025): A Critical Analysis of Social Realism, Systemic Apathy, and...
bykrutivyas2005
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
byNguyen Thanh Tu Collection
 
PPTX
Inter School Quiz Competition Final.pptx
bySourav Kr Podder
 
PPTX
CHAPTER NO. 05 DIURETICS PHARMACOGNOSY.pptx
byGanu Gavade
 
PPTX
From AI curious to AI conversant – a year of experimentation at TCD Library. ...
byCONUL Conference
 
PPTX
LEARNING PART 2.SHILPA HOTAKAR PSYCHOLOGY NOTES pptx
bySHILPA HOTAKAR
 
PPTX
SPECIAL STSAINS USED IN HISTOPATHOLOGY.pptx
byKISMAT ALI
 
PPTX
How to create bill in odoo 19 Purchase
byCeline George
 
PDF
‘You can do anything, but not everything’: Using UCC’s Service Principles to ...
byCONUL Conference
 
PPTX
CARDIOTONIC CHAPTER NO. 5 PHARMACOGNOSY DIGITALIS AND ARJUNA BARK
byGanu Gavade
 
Spectrofluorometery one of the analytical technique
bySavitribai Phule Pune University
 
Prenatal Development of Cranium, Jaw and Face
byHarshita Dhanrajani
 
PixelX : Think Design Experience powerpoint presentation
byVinaySiddha
 
605456209-week-6-ppt-pagbasa.pptxpowerpointpresentation
byDecerrieMerabite
 
Library Pride Support: Supporting LGBTQIA+ Advocacy at Maynooth University Li...
byCONUL Conference
 
Cardiovascular System or The Details of Heart.pptx
byAshish Umale
 
A predictive coding framework for rapid neural dynamics during sentence-level...
byMan_Ebook
 
From Vision to Action: UCC Library’s Digital & Information Literacy Framework...
byCONUL Conference
 
Changing hearts at DCU Library: Confronting prejudice through The Human Libra...
byCONUL Conference
 
LEARNING PART 1. SHILPA HOTAKAR PSYCHOLOGY NOTES pptx
bySHILPA HOTAKAR
 
Homebound (2025): A Critical Analysis of Social Realism, Systemic Apathy, and...
bykrutivyas2005
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
byNguyen Thanh Tu Collection
 
Inter School Quiz Competition Final.pptx
bySourav Kr Podder
 
CHAPTER NO. 05 DIURETICS PHARMACOGNOSY.pptx
byGanu Gavade
 
From AI curious to AI conversant – a year of experimentation at TCD Library. ...
byCONUL Conference
 
LEARNING PART 2.SHILPA HOTAKAR PSYCHOLOGY NOTES pptx
bySHILPA HOTAKAR
 
SPECIAL STSAINS USED IN HISTOPATHOLOGY.pptx
byKISMAT ALI
 
How to create bill in odoo 19 Purchase
byCeline George
 
‘You can do anything, but not everything’: Using UCC’s Service Principles to ...
byCONUL Conference
 
CARDIOTONIC CHAPTER NO. 5 PHARMACOGNOSY DIGITALIS AND ARJUNA BARK
byGanu Gavade
 

Shellshock

  • 1.
    CVE-2014-6271/Shellshock This exercise coversthe exploitation of a Bash vulnerability through a CGI.  FREE  EASY Dif�culty  4082 Completed this exercise Online labs details Video Introduction This course details the exploitation of the vulnerability CVE-2014-6271. This vulnerability impacts the Bourne Again Shell "Bash". Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface "CGI". Fingerprinting By visiting the application with a proxy (Burp Suite or OWASP Zap), we can detect that multiple URL are accessed when the page is loaded: To exploit "Shellshock", we need to �nd a way to "talk" to Bash. This implies �nding a CGI that will use Bash. CGIs commonly use Python or Perl but it's not uncommon to �nd (on old servers), CGI written in Shell or even C. How CGIs work? When you call a CGI, the web server (Apache here) will start a new process and run the CGI. Here it will start a Bash process and run the CGI script. Apache needs to pass information to the CGI script. To do so, it uses environment variables. Environment variables are available inside the CGI script. It allows Apache to easily pass every headers (amongst other information) to the CGI. If you have a HTTP header named Blah in your request, you will have an environment variable named HTTP_BLAH available in your CGI. The vulnerability Here, we are going to focus on the �rst version of the vulnerability but many more vulnerabilities in the same subpart of Bash have been found since: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187... The source of the issue is that Bash can have internal function declaration in its environment variable. The �rst version of the vulnerability is related to the ability to run arbitrary commands after a function declaration.  You can quickly test this by replacing the call to `uptime` by a call to `env` in the CGI. Then if you call this script with arbitrary header, you should see them in the page. PentesterLab: Learn Web App Pentesting! https://pentesterlab.com/exercises/cve-2014-62... 1 of 2 2020-04-02 12:11
  • 2.
    PentesterLab: Learn WebApp Pentesting! https://pentesterlab.com/exercises/cve-2014-62... 2 of 2 2020-04-02 12:11