10
CVSSv2

CVE-2014-6278

Published: 30/09/2014 Updated: 09/08/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

GNU Bash up to and including 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote malicious users to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Vulnerability Trend

Vendor Advisories

Several security issues were fixed in Bash ...
ESX 41 without patch ESX410-201410401-SG vCenter Server Appliance prior to 55 U2a ...
Blue Coat products using GNU Bash are vulnerable command injection flaws  A remote attacker may exploit the flaws to execute arbitrary code with elevated privileges or cause a denial of service ...
A number of security vulnerabilities have been identified in the ‘bash’ component of Citrix XenServer  These issues include those known as ‘Shellshock’ and have the following identifiers: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187 These issues affect all supported versions ...
Citrix is aware of recent vulnerability reports that impact GNU Bash and is actively investigating the potential impact of these issues on Citrix products There are a number of CVEs related to this issue, the current set includes: CVE-2014-6271  CVE-2014-6277  CVE-2014-6278 ...
GNU bash contains a flaw that is triggered when evaluating environment variables passed from another environment After processing a function definition, bash continues to process trailing strings Via certain applications, a local or remote attacker may inject shell commands, allowing local privilege escalation or remote command execution dependin ...

Exploits

#!/usr/bin/python ############################################### # Cisco UCS Manager 21(1b) Shellshock Exploit # # CVE-2014-6278 # Confirmed on version 21(1b), but more are likely vulnerable # Cisco's advisory: # toolsciscocom/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash # Exploit generates a reverse shell to ...
# Exploit Title: ShellShock On Sun Secure Global Desktop & Oracle Global desktop # Google Dork: intitle:Install the Sun Secure Global Desktop Native Client # Date: 6/4/2016 # Exploit Author: lastc0de@outlookcom # Vendor Homepage: wwwsuncom/ & wwworaclecom/ # Software Link: wwworaclecom/technetwork/server-storage/ ...
#! /usr/bin/env python from socket import * from threading import Thread import thread, time, httplib, urllib, sys stop = False proxyhost = "" proxyport = 0 def usage(): print """ Shellshock apache mod_cgi remote exploit Usage: /exploitpy var=<value> Vars: rhost: victim host rport: victim port for TCP shell binding lhost: attacker ...
#!/usr/bin/python # Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC # Date: 2014-09-29 # Author: @fdiskyou # e-mail: rui at deniableorg # Version: 41 # Tested on: Debian, Ubuntu, Kali # CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 from scapyall import * confcheckIPaddr = Fal ...
#!/usr/bin/python # Exploit Title: dhclient shellshocker # Google Dork: n/a # Date: 10/1/14 # Exploit Author: @0x00string # Vendor Homepage: gnuorg # Software Link: ftpgnuorg/gnu/bash/bash-43targz # Version: 4311 # Tested on: Ubuntu 14041 # CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 # ______ ...

Mailing Lists

Cisco UCS Manager version 21(1b) shellshock exploit that spawns a connect-back shell ...
This Metasploit module exploits a post-auth code injection in specially crafted environment variables in Bash, specifically targeting CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables by default ...
GNU Bash version 4311 environment variable dhclient shellshocker exploit ...
This is information regarding more bash vulnerabilities and how the original bash patches are ineffective ...
DNS reverse lookups can be used as a vector of attack for the bash shellshock vulnerability ...

Metasploit Modules

Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead.

msf > use auxiliary/scanner/http/apache_mod_cgi_bash_env
      msf auxiliary(apache_mod_cgi_bash_env) > show actions
            ...actions...
      msf auxiliary(apache_mod_cgi_bash_env) > set ACTION <action-name>
      msf auxiliary(apache_mod_cgi_bash_env) > show options
            ...show and set options...
      msf auxiliary(apache_mod_cgi_bash_env) > run
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.

msf > use exploit/multi/http/apache_mod_cgi_bash_env_exec
      msf exploit(apache_mod_cgi_bash_env_exec) > show targets
            ...targets...
      msf exploit(apache_mod_cgi_bash_env_exec) > set TARGET <target-id>
      msf exploit(apache_mod_cgi_bash_env_exec) > show options
            ...show and set options...
      msf exploit(apache_mod_cgi_bash_env_exec) > exploit
CUPS Filter Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables. A valid username and password is required to exploit this vulnerability through CUPS.

msf > use exploit/multi/http/cups_bash_env_exec
      msf exploit(cups_bash_env_exec) > show targets
            ...targets...
      msf exploit(cups_bash_env_exec) > set TARGET <target-id>
      msf exploit(cups_bash_env_exec) > show options
            ...show and set options...
      msf exploit(cups_bash_env_exec) > exploit

Github Repositories

Cisco UCS Manager 21(1b) Shellshock Exploit CVE-2014-6278 Confirmed on version 21(1b), but more are likely vulnerable Cisco's advisory: toolsciscocom/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash Exploit generates a reverse shell to a nc listener Exploit Author: @thatchriseckert Exploit goes after a specific cgi script in Cisco UCS ma

Shellshock Vulnerability Scanner

ShellScan ShellScan - A simple Shellshock Vulnerability Scanner in python allows cyber security researchers to explore and discover new application and systems that vulnerable to the ShellShock exploit ShellScan supports different BASH vulnerabilities: CVE-2014-6271 and CVE-2014-6278 to be tested by cyber security researchers in order to explore and discover new applications a

Fabric script to squash the nasty bash shellshock bug

fabric-shellshock Fabric script to squash the nasty bash shellshock bug This fabric script should test for CVE-2014-6278, CVE-2014-6271, CVE-2014-7186 and CVE-2014-7187 There is a redhat and centos directory Each one contains a gpg signed version of bash for the respective distro The script will push the file to the server and do a yum localinstall on it Once installed a se

Automated mass-patching for shellshocker bash vulnerabilities

ShockTrooper What is this? A quickly thrown together script -- based on information from Shellshockernet -- to ssh into, detect, and patch shellshock vulnerabilities across a number of remote servers, with the built in package manager on each given server Currently supported: Debian/Ubuntu using apt-get Redhat/CentOS using yum Arch using pacman (theoretical support, not yet

w-test #!/bin/bash warn() { if [ "$scary" == "1" ]; then echo -e "\033[91mVulnerable to $1\033[39m" else echo -e "\033[93mFound non-exploitable $1\033[39m" fi } good() { echo -e "\033[92mNot vulnerable to $1\033[39m" } [ -n "$1" ] &amp;&amp; bash=$(which $1) || bash=$(which bash) echo -e "\033[95mTesting $

The tool inject a malicious user agent that allows exploring the vulnerabildiade sheelshock running server-side commands.

Xpl-SHELLSHOCK-Ch3ck The tool inject a malicious user agent that allows exploring the vulnerabildiade sheellshock running server-side commands # SCRIPT by: [ I N U R L - B R A S I L ] - [ By GoogleINURL ] # EXPLOIT NAME: Xpl SHELLSHOCK Ch3ck Tool - (MASS)/ INURL BRASIL # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Email: inurlbr@gmailcom

test script for shellshocker and related vulnerabilities

bashcheck Test script for Shellshock and related vulnerabilities background The Bash vulnerability that is now known as Shellshock had an incomplete fix at first There are currently 6 public vulnerabilities shellshock and heartbleed I wrote down some general thoughts about recent events and security in free software: bloghboeckde/archives/857-How-to-stop-Bleeding-H

Contains compiled bash & sh binaries that have been patched against the CVEs associated with 'shellshock' vulnerabilities.

Shellshock fix for OS X This repository contains precompiled bash 3257 &amp; sh binaries which are patched against the following CVEs associated with the 'shellshock' vulnerabilities listed below It also contains a script ('compileAndReplaceBash-3257sh') that can be used by running /compileAndReplaceBash-3257sh from the command line bash32-052

ActiveScan++ Burp Suite Plugin

ActiveScan++ ActiveScan++ extends Burp Suite's active and passive scanning capabilities Designed to add minimal network overhead, it identifies application behaviour that may be of interest to advanced testers: Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding) Edge Side Includes XML input handling Suspicious input transformation (eg

Collection of Proof of Concepts and Potential Targets for #ShellShocker

Shellshocker - Repository of "Shellshock" Proof of Concept Code Collection of Proof of Concepts and Potential Targets for #ShellShocker Wikipedia Link: enwikipediaorg/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details Please submit a pull request if you have more links or other resources Speculation:(Non-confirmed possibly vulnerable)

A collection of vulnerabilities discovered by the AFL fuzzer (afl-fuzz)

afl-cve A collection of vulnerabilities discovered by the AFL fuzzer (afl-fuzz) Introduction afl-cve is a collection of known vulnerabilities that can be attributed to the AFL fuzzer afl-fuzz All vulnerabilities in this list either already have a CVE assigned, or a CVE has been requested from a CVE Numbering Authority Why is This Necessary? Because CVE descriptions are not ge

Recent Articles

Researcher Takes Wraps off Two Undisclosed Shellshock Vulnerabilities in Bash
Threatpost • Michael Mimoso • 03 Oct 2014

The Bash bug has kept Linux and UNIX administrators busy deploying a half-dozen patches, worrying about numerous Shellshock exploits in the wild, and a laboring over a general uncertainty that the next supposed fix will break even more stuff.
Researcher Michal Zalewski, a longtime bug-hunter, has been front and center on some of the Bash research and last week said he had found two additional bugs in the Bourne Again Shell, details of which he’d kept to himself until yesterday.
Za...

References

CWE-78http://jvn.jp/en/jp/JVN55667175/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2014-000126http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.htmlhttp://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.htmlhttp://linux.oracle.com/errata/ELSA-2014-3093http://linux.oracle.com/errata/ELSA-2014-3094http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.htmlhttp://lists.opensuse.org/opensuse-updates/2014-10/msg00025.htmlhttp://marc.info/?l=bugtraq&m=141330468527613&w=2http://marc.info/?l=bugtraq&m=141345648114150&w=2http://marc.info/?l=bugtraq&m=141383026420882&w=2http://marc.info/?l=bugtraq&m=141383081521087&w=2http://marc.info/?l=bugtraq&m=141383196021590&w=2http://marc.info/?l=bugtraq&m=141383244821813&w=2http://marc.info/?l=bugtraq&m=141383304022067&w=2http://marc.info/?l=bugtraq&m=141383353622268&w=2http://marc.info/?l=bugtraq&m=141383465822787&w=2http://marc.info/?l=bugtraq&m=141450491804793&w=2http://marc.info/?l=bugtraq&m=141576728022234&w=2http://marc.info/?l=bugtraq&m=141577137423233&w=2http://marc.info/?l=bugtraq&m=141577241923505&w=2http://marc.info/?l=bugtraq&m=141577297623641&w=2http://marc.info/?l=bugtraq&m=141585637922673&w=2http://marc.info/?l=bugtraq&m=141879528318582&w=2http://marc.info/?l=bugtraq&m=142118135300698&w=2http://marc.info/?l=bugtraq&m=142358026505815&w=2http://marc.info/?l=bugtraq&m=142358078406056&w=2http://marc.info/?l=bugtraq&m=142721162228379&w=2http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.htmlhttp://packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.htmlhttp://secunia.com/advisories/58200http://secunia.com/advisories/59907http://secunia.com/advisories/59961http://secunia.com/advisories/60024http://secunia.com/advisories/60034http://secunia.com/advisories/60044http://secunia.com/advisories/60055http://secunia.com/advisories/60063http://secunia.com/advisories/60193http://secunia.com/advisories/60325http://secunia.com/advisories/60433http://secunia.com/advisories/61065http://secunia.com/advisories/61128http://secunia.com/advisories/61129http://secunia.com/advisories/61283http://secunia.com/advisories/61287http://secunia.com/advisories/61291http://secunia.com/advisories/61312http://secunia.com/advisories/61313http://secunia.com/advisories/61328http://secunia.com/advisories/61442http://secunia.com/advisories/61471http://secunia.com/advisories/61485http://secunia.com/advisories/61503http://secunia.com/advisories/61550http://secunia.com/advisories/61552http://secunia.com/advisories/61565http://secunia.com/advisories/61603http://secunia.com/advisories/61633http://secunia.com/advisories/61641http://secunia.com/advisories/61643http://secunia.com/advisories/61654http://secunia.com/advisories/61703http://secunia.com/advisories/61780http://secunia.com/advisories/61816http://secunia.com/advisories/61857http://secunia.com/advisories/62312http://secunia.com/advisories/62343http://support.novell.com/security/cve/CVE-2014-6278.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bashhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:164http://www.novell.com/support/kb/doc.php?id=7015721http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.htmlhttp://www.qnap.com/i/en/support/con_show.php?cid=61http://www.ubuntu.com/usn/USN-2380-1http://www.vmware.com/security/advisories/VMSA-2014-0010.htmlhttp://www-01.ibm.com/support/docview.wss?uid=isg3T1021272http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915http://www-01.ibm.com/support/docview.wss?uid=swg21685541http://www-01.ibm.com/support/docview.wss?uid=swg21685604http://www-01.ibm.com/support/docview.wss?uid=swg21685733http://www-01.ibm.com/support/docview.wss?uid=swg21685749http://www-01.ibm.com/support/docview.wss?uid=swg21685914http://www-01.ibm.com/support/docview.wss?uid=swg21686131http://www-01.ibm.com/support/docview.wss?uid=swg21686246http://www-01.ibm.com/support/docview.wss?uid=swg21686445http://www-01.ibm.com/support/docview.wss?uid=swg21686479http://www-01.ibm.com/support/docview.wss?uid=swg21686494http://www-01.ibm.com/support/docview.wss?uid=swg21687079http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315https://bugzilla.redhat.com/show_bug.cgi?id=1147414https://kb.bluecoat.com/index?page=content&id=SA82https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648https://kc.mcafee.com/corporate/index?page=content&id=SB10085https://security-tracker.debian.org/tracker/CVE-2014-6278https://support.citrix.com/article/CTX200217https://support.citrix.com/article/CTX200223https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.htmlhttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlertshttps://www.exploit-db.com/exploits/39568/https://www.exploit-db.com/exploits/39887/https://www.suse.com/support/shellshock/http://tools.cisco.com/security/center/viewAlert.x?alertId=35880https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6278https://www.exploit-db.com/exploits/39568/https://nvd.nist.govhttps://usn.ubuntu.com/2380-1/