How to Check if Bash has Shellshock Vulnerability?

Shellshock vulnerability was found during the late 2014 (to be precise, the impact was posted on CVE-2014-6271 on 24 September 2014). Later an update was released in bash version 4.1.2-15 with a fix for Shellshock vulnerability. Well, the entire world gone on to update the bash and secured their shell from Shellshock, but surprisingly many machines in my office were not updated for whatever reasons. The scary part is, few of those machines with vulnerable shell were hosting many services in the internet. According to various blogs in the internet, Shellshock exploit allows an attacker to remotely execute a malicious command in bash via CGI scripts.

(I know this tutorial is pretty late, but there are many who are not aware of it and still using vulnerable bash on their public servers)

update bash from source

The first thing is to check if your BASH is Shellshock vulnerable or not. So any bash version prior to 4.1.2 is sure to have this vulnerability.

$ bash --version
 GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)

(or)

$ rpm -qa|grep bash
 bash-completion-1.3-7.el5
 bash-3.2-32.el5_9.1

Now you know the version, so execute the below commands to confirm it’s vulnerable to Shellshock.

$ env x='() { :;}; echo vulnerable' bash -c "echo If you see the word vulnerable above, you are vulnerable to shellshock"
 vulnerable
 If you see the word vulnerable above, you are vulnerable to shellshock

Solution:

Jump to the bottom of this post. In case, if you wish to know how shellshock works, then read through.

Understanding the export variables in SHELL :

As the above output says, your SHELL is vulnerable, but let’s see how it works.

Normally, you can set an environment variable and use it in a shell. For example, as below:

$ test=1
 $ echo $test
 1

But you can’t directly use the env variable ‘test’ in a new bash shell. Check it out:

$ test=1
 $ echo $test
 1
 $ bash
 $ echo $test

Output is blank. The reason is, an environment variable is available for access only in the same shell. But if you export an environment variable, then it’s available for a new bash shell as well. Here’s an example:

$ var="testing"
 $ export var
 $ bash
 $ echo $var
 testing

Now you can see variable ‘$var’ was set and exported in one shell and accessed from another shell. Of course, you can stop export anytime using the below command.

$ export -n var
 $ bash
 $ echo $var

Similarly, you can create functions and export it in one shell and access the exported function from another shell. Let us see that example as well.

$ fnc() { echo "testing"; }
 $ fnc
 testing
 $ bash
 $ fnc
 bash: fnc: command not found

In the above output you see ‘bash: fnc: command not found‘ because, the fnc is not an exported function. So you cannot call it from another shell.

Let’s export ‘fnc‘ as well.

$ export -f fnc
 $ fnc
 testing
 $ bash
 $ fnc
 testing

It works as expected (since ‘fnc‘ was exported and it’s available in another shell).

Exporting a variable or a function will set an environment variable

$ env | grep -A1 fnc
 fnc=() { echo "testing"
 }

Now Shellshock exploit

Based on the above examples, we learnt that a new bash shell ingests the definition of an environment variable starting with () and interprets it as a function. But vulnerability here’s, the new shell will execute whatever present in the quote.

For example:

Execute the below command:

$ export sse_fnc='() { echo "function shellshock exploit" ; }; echo "Not good"; '

Check env variable for ‘sse_fnc’:

$ env | grep -A1 sse_fnc
 sse_fnc=() { echo "function shellshock exploit" ; }; echo "Not good";

Go to new bash shell:

$ bash
 Not good

Note: We just typed ‘bash‘ and you see the text ‘Not good‘ printed. It means, the new shell starts to execute the function after reading the environment variable and executes the trailing commands as well (even though the function brace closed after the ‘echo “function shellshock exploit” ;’).

In other words “The exported variable sse_fnc was passed to the subshell which was interpreted as a function sse_fnc but the trailing commands were executed (this is bad) as the subshell spawned.”

via Fixee@StackExchange

how this vulnerability can be exploited?

I don’t think anyone can explain better than this guy (shellshocker.net). Thanks man!

How to Fix Shellshock?

Simple, update your bash and try the exploit to check whether the vulnerability has gone away.

$curl https://shellshocker.net/fixbash | sh

The above command will automatically download around 30+ patches and compile bash from source. You can regularly run this script to keep your bash updated with latest patches.

Once the installation is successful. Check bash version as below:

$bash --version
 GNU bash, version 4.3.42(1)-release (x86_64-unknown-linux-gnu)

Test Shellshock vulnerability:

$env x='() { :;}; echo vulnerable' bash -c "echo If you see the word vulnerable above, you are vulnerable to shellshock
 If you see the word vulnerable above, you are vulnerable to shellshock

From the above output, it didn’t print “vulnerable’ word. So my bash is secure!

(or)

$env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo

If BASH is vulnerable, the above command will output date. Else, BASH is secure.

Updated on September 2, 2017

Was this article helpful?

Related Articles

Leave a Comment