2

I have been trying to exploit the Shellshock vulnerability in my system and ran into an interesting problem. I have been using 'wget' to exploit the vulnerability. The command I am using is as follows:

wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" http://somesite.com/some-script.cgi

Using the above command, the vulnerability shows as expected. However, when I try to wget a file which is not a .cgi file, the vulnerability does not show up and only the file is downloaded.

From what I understand, wget should set the User-Agent string to the value passed in the command which should run the code /bin/cat /etc/passwd and I fail to see how this has anything to do with the nature of the file being downloaded.

Thanks in advance.

4ae1e1
  • 7,228
  • 8
  • 44
  • 77
Rabee
  • 637
  • 5
  • 19

1 Answers1

2

In order to exploit the shellshock bug, the following steps need to occur:

  1. you must get the target server to inject a specific string into an environment variable, and

  2. after setting the environment variable, the target must (directly or indirectly) launch (a vulnerable version of) the bash shell.

One way this can happen is when a web server executes an external program through the Common Gateway Interface (CGI), and the external program either is a bash shell script, or otherwise invokes bash. This happens because CGI protocol specifies that headers from the original HTTP request are passed to the external program in environment variables with the prefix HTTP_ (e.g. HTTP_USER_AGENT for the User-Agent header). Since the attacker can control those headers, they can also directly control the values of those environment variables.

However, the web server needs to set those environment variables only when invoking an external program via CGI. When delivering a static file, the server only needs to read that file from the disk and send it back to the client; it doesn't need to set any environment variables or invoke any external tools like bash.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153
  • Right. So my question is, when I'm using 'wget' to get a file from a web server, it only needs to read the file, even if the file is a .cgi file. Why would the exploit be affected by the type of file being fetched? – Rabee Nov 20 '15 at 19:52
  • 1
    A CGI script (which, I assume, your webserver is configured to treat files with the .cgi suffix as) isn't just read from the disk and sent to you as is -- rather, it is *executed* by the server, and its *output* is sent to you. If the file being executed happens to be a bash script (i.e. a text file that begins with `#!/bin/bash`), then executing it will cause the OS to call bash, and thus potentially trigger the shellshock bug. For more background on how CGI scripts work, you might want to take a look at the Wikipedia links I included in my answer. – Ilmari Karonen Nov 20 '15 at 20:13
  • Ah okay. Now that clears things up. I kind of have an idea how cgi scripts work but I did not know that they are executed when you 'wget' them and their output was fetched. I thought the file itself was fetched. – Rabee Nov 20 '15 at 20:37