{"id":14127,"date":"2014-09-27T14:14:22","date_gmt":"2014-09-27T19:14:22","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=14127"},"modified":"2014-09-27T17:49:52","modified_gmt":"2014-09-27T22:49:52","slug":"shellshock-how-does-it-actually-work","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=14127","title":{"rendered":"Shellshock: How does it actually work?"},"content":{"rendered":"<blockquote><p><code>env x='() { :;}; echo OOPS' bash -c :<\/code><br \/>\nThe \u201cenv\u201d command runs a command with a given variable set. In this case, we\u2019re setting \u201cx\u201d to something that looks like a function. The function is just a single \u201c:\u201d, which is actually a simple command which is defined as doing nothing. But then, after the semi-colon which signals the end of the function definition, there\u2019s an echo command. That\u2019s not supposed to be there, but there\u2019s nothing stopping us from doing it.<\/p><\/blockquote>\n<p>via <a href=\"http:\/\/fedoramagazine.org\/shellshock-how-does-it-actually-work\/\">Shellshock: How does it actually work? | Fedora Magazine<\/a>.<\/p>\n<blockquote><p>But \u2014 oops! When that new shell starts up and reads the environment, it gets to the \u201cx\u201d variable, and since it looks like a function, it evaluates it. The function definition is harmlessly loaded \u2014 and then our malicious payload is triggered too. So, if you run the above on a vulnerable system, you\u2019ll get \u201c<tt>OOPS<\/tt>\u201d printed back at you. Or, an attacker could do a lot worse than just print things.<\/p><\/blockquote>\n<p>I copied and pasted the above env command and it echos back OOPS.\u00a0 This web server has been (I suspect) scanned already once with the scanner placing a ping command in the User Agent HTTP field.\u00a0 Apparently User Agent gets passed to a shell environmental variable which will then get executed.\u00a0 The only problem is that they need some kind of script to execute which there are none on this site.\u00a0 This site simply returned 404, file not found to the scanner.<\/p>\n<p>This could be problematic on sites with a lot of cgi scripts.\u00a0 There is some exploit that can affect a client using dhcp to obtain an IP address from a malicious server.\u00a0 I&#8217;ll find an explanation of that and put that up in its own post.\u00a0\u00a0 This story is evolving and even has its own brand name now &#8212; shellshock.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>env x='() { :;}; echo OOPS&#8217; bash -c : The \u201cenv\u201d command runs a command with a given variable set. In this case, we\u2019re setting \u201cx\u201d to something that looks like a function. The function is just a single \u201c:\u201d, &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=14127\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[1093,1125,28,1332],"class_list":["post-14127","post","type-post","status-publish","format-standard","hentry","category-operating-systems","tag-bash","tag-exploit-vector","tag-linux-command","tag-shellshock"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/14127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14127"}],"version-history":[{"count":2,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/14127\/revisions"}],"predecessor-version":[{"id":14129,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/14127\/revisions\/14129"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14127"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}