1

I was looking over the new Bash exploit and was looking at this post in particular.

Attack scenarios of the new Bash vulnerability

What I don't understand is how does including bash in the user-agent string cause it to be executed. It seems odd to me that the user agent would ever be executed on the server. I know this i a broad question but I am just looking for a general understanding of how this is allowed to happen if possible.

EDIT:

Doing some further research I read through this which kind of cleared some stuff up for me.

https://stackoverflow.com/questions/2089271/i-never-really-understood-what-is-cgi

Which explains that CGI is setting some environmental variables and some other input via stdin. Why no guard is in place to keep this from simply being a string is beyond me or why you are able to pass a bash function in a header.

eatingthenight
  • 113
  • 1
  • 6
  • http://unix.stackexchange.com/a/157401/16841 You want to chech out several of the Q&A on http://unix.stackexchange.com/questions/tagged/shellshock – jippie Sep 25 '14 at 18:25
  • I understand how that works. It's setting the User-Agent which is then being used as an environmental variable which is getting executed by CGI. Why CGI does not have some kind of sanitation for this is what I am more curious about. I updated the post to hopeful make it a little more clear. – eatingthenight Sep 25 '14 at 18:37
  • I think http://unix.stackexchange.com/a/157495/16841 answeers that. – jippie Sep 25 '14 at 18:41
  • Awesome that is what I was looking for! Thank you! – eatingthenight Sep 25 '14 at 18:51

1 Answers1

2

What you are refering to is the Shellshock Bug, see https://blog.cloudflare.com/inside-shellshock/

The Shellshock problem specifically occurs when an attacker modifies the origin HTTP request to contain the magic () { :; }; string discussed above.

Suppose the attacker change the User-Agent header above from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 to simply () { :; }; /bin/eject. This creates the following variable inside a web server:

HTTP_USER_AGENT=() { :; }; /bin/eject

If that variable gets passed into bash by the web server, the Shellshock problem occurs. This is because bash has special rules for handling a variable starting with () { :; };. Rather than treating the variable HTTP_USER_AGENT as a sequence of characters with no special meaning, bash will interpret it as a command that needs to be executed (I've omitted the deeply technical explanations of why () { :; }; makes bash behave like this for the sake of clarity in this essay.)

The problem is that HTTP_USER_AGENT came from the User-Agent header which is something an attacker controls because it comes into the web server in an HTTP request. And that's a recipe for disaster because an attacker can make a vulnerable server run any command it wants (see examples below).

The solution is to upgrade bash to a version that doesn't interpret () { :; }; in a special way.

rubo77
  • 2,370
  • 10
  • 26
  • 49