shellshock bash horror and Apache

realizationface
Also referred to as CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187, the now infamous shellshock flaw refers to Bash being able to blindly run commands inside specially crafted environment variables.

Just run env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
OR
env var='() {(a)=>\' bash -c "echo vulnerable"; cat echo.
If in the output you find the word vulnerable, then you are.

A few of the identified attack vectors are:

  • ForceCommand of OpenSSH;
  • Apache with mod_cgi or mod_cgid;
  • DHCP invoking shell scripts to configure clients;
  • And possibly many other.

    What I want to focus on here is Apache and mod_cgi, because that seems the most exposed vector of attack and because nobody actually mentions the dependencies for this attack to be successful.

    As a note, at the moment there is conflicting information on whether this affects mod_php with exec functions enabled. Quoting from securityblog.redhat.com: PHP scripts executed with mod_php are not affected even if they spawn subshells.
    But I haven’t tested this myself as of yet.

    In order to make this work under mod_cgi you would need to meet the following conditions:

  • a script which spawns a shell, like #!/bin/bash or by using popen(), exec, shell_exec etc;
  • that same script parsed by mod_cgi (by default it executes only extensions with .cgi, as defined by AddHandler cgi-script .cgi);
  • have the script publicly discoverable – possibly through Google dorking for /bin/bash.