A fun Bash bug: it doesn’t stop interpreting a variable at the end of a functions, and is, therefore, susceptible to arbitrary command execution. If you’re using CGIs, this becomes RCE.
For this example, I’ve chosen to abuse the user-agent setting:
Great, we get a page. Now lets go looking for a CGI script… and as it happens, we’ve found one, poc.cgi:
Requesting this CGI gives a nice picture of the environment:
Now, using the Bash bug, and the handy flag for setting the user-agent with curl, we do the following evil thing:
Notice that I’ve used a path that is owned by the webserver to avoid permission issues. Also, in quick testing, anything that wrote to STDOUT caused header errors. I even tried sending the content type in the user-agent definition. Back to checking on the damage that we have done:
So there it is, RCE for a Bash CGI script.
Getting around the STDOUT issue wrecking headers is easier than I thought; cat the file and redirect the output, then fetch the file:
and the fetch:
Seeing some slick reverse shells now on pastebin. This is going to be nasty, especially on embedded systems that aren’t using busybox.
Talked with @loganattwood
OOB about timing attacks against DHCP lease expiry & passing shellcode via DHCP options. Nice privilege escalation scenario.