Also referred to as CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187, the now infamous shellshock flaw refers to Bash being able to blindly run commands inside specially crafted environment variables.
Just run env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
OR
env var='() {(a)=>\' bash -c "echo vulnerable"; cat echo
.
If in the output you find the word vulnerable, then you are.
A few of the identified attack vectors are:
And possibly many other.
What I want to focus on here is Apache and mod_cgi, because that seems the most exposed vector of attack and because nobody actually mentions the dependencies for this attack to be successful.
As a note, at the moment there is conflicting information on whether this affects mod_php with exec functions enabled. Quoting from securityblog.redhat.com: PHP scripts executed with mod_php are not affected even if they spawn subshells.
But I haven’t tested this myself as of yet.
In order to make this work under mod_cgi you would need to meet the following conditions:
#!/bin/bash
or by using popen()
, exec
, shell_exec
etc;AddHandler cgi-script .cgi
);