Lab: Shellshock Understanding the problem.

Step 3: The Shell Shock Vulnerability

• Start a terminal
  • This is the command terminator, or the red icon on the right hand side.
  • You can nest these if you want, or just right click and select "Open a New Window" to start a second terminal.
  • The scroll button works to zoom.
  • Sorry Ms. Granger, I don't know how to make a funny cat cursor.
• Run /bin/bash_shellshock
  • The default bash is patched so this error will not occur.
• Because we will be changing shells frequently, set the prompt in this one so we know when we return.

  •  PS1="Shellshock : "

  • DO NOT EXPORT this
    • if you know what that is.
    • Don't worry if you don't.
• bash is a full programming language including functions
• We can declare a function foo as follows (assume $ is the prompt, do don't type it)
  • NOTE: Spaces are important.

  • $ foo='() { echo "running function foo"; }'
    $ export foo
    $ /bin/bash_shellshock
    $ foo

  • Note, we need to run shellshock bash here, the other versions of bash have been patched to eliminate these problems.
• You can see this definition by printenv
• Start a new shell
  • run /bin/bash_shellshock
  • Run foo to see that it is present.
  • Exit to get back to your original shell.
• Try this. You will need to get this right to move on.
• In bash a ; is a terminator in bash.
  • But bash will let us run multiple commands on one line.
  • Try whoami; uptime
• We can exploit these two things to unexpectedly run a program.
• Try this strange definition

  $ bug='() { echo "Good Code"; }; echo "Bad Code"'
  $ export bug
  $ printenv bug
  $ echo $bug
  $ /bin/bash_shellshock

  • Look at it by printenv bug
  • However when you start a new shell, you will see the bug.

  • $ /bin/bash_shellshock
    Bad Code
    $

  • In this case, when a new shell is started, the shellshock bug is exposed.
• What is happening?
  • When the new shell starts, it processes the environment variables.
  • the bug routine is stored as a function definition along with the extra code.
  • So when a new shell is started, it will parse and execute the code
    • Unfortunately the code to parse and execute, will also execute the command following the };
    • You can see this on line 340 - 350 of variables.c in the shellShock directory
• By parsing the environment and creating the function, bash inadvertently ran the extra code.
• A simple attack.
  • In the shellShock directory is a simple setuid program rootCode
  • Look at the source code
  • Notice this does a system call.
  • System calls are executed with /bin/sh, however
    • On most systems, /bin/sh is a link to /bin/bash
    • Or /bin/bash_shellshock in this case
  • Run rootCode, does it suffer from the shellshock bug?
  • Can you use this to gain root access? (YES)