TTP Tuesday: ShellShock CVE-2014-6271

Nearly a decade later ShellShock is still alive and well

This week marks a theme change from adversary emulation to CVE exploitation. Over the next 6 weeks we’ll release exploits that test whether a machine is exploitable to specific Linux CVEs. Each TTP will return an exit code of 0 (exploitable) or 1 (not exploitable) when executed. Read about our motivation.

CVE-2014-6271: ShellShock

ShellShock is a vulnerability that allows arbitrary code to execute on a Linux computer. It does this by taking advantage of how Bash (a program found on most Linux machines) evaluates environment variables.

When a new terminal session is started the environment is read into it, including all variables that were previously set. Environment variables are useful because they let you set-and-forget common values (like passwords) or functions that you don’t want to run manually each time you load a terminal. Bash handles this by evaluating the variables when the session starts but not actually executing the code. This makes them available to run.

Up until the ShellShock patch was rolled out (after Bash 4.3), environment variables could be exploited by adding arbitrary code immediately following the setting of any environment variable. This arbitrary code does execute when the terminal session is started. And this arbitrary code is in fact arbitrary, allowing an adversary to run anything they want each time a session is started.

This vulnerability was first discovered in 2014. It had been around for decades prior.

Testing

Execute Operator’s ShellShock TTP on each Linux box in your environment to test if you are vulnerable. Yes, this TTP was patched long ago - but many environments are still running older Linux distributions (like Ubuntu 12.04) or have older versions of bash installed without anyone knowing.

Bash is an internal program that isn’t exposed to your perimeter testing (like vulnerability scanners) so you should test on the box - not just the perimeter.

Vulnerability scanners typically test this CVE by relying on an exposed service running on the server. For example, if the server is running an HTTP service, they will craft specific HTTP headers with the malicious code to see if it executes. This will expose whether ShellShock can be exploited remotely - which is extremely dangerous - but keep in mind you should know if it is exploitable at all, remotely or otherwise.

Remediation

Yes, we know this is an old CVE. We wanted to start our new CVE theme with a vulnerability that is familiar, straight forward to read/understand and still found in the wild today. ShellShock meets that criteria.

Upgrade Bash to the latest version.

Watch a demonstration: ShellShock CVE-2014-6271

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman