Shellshock (CVE-2014-6271): Exploiting Bash for Remote Code Execution

Shellshock, also known as CVE-2014-6271, is a critical vulnerability found in Bash, the default shell on many Unix-like systems. It allows attackers to execute arbitrary commands remotely by exploiting how Bash processes environment variables. The vulnerability occurs because Bash mishandles environment variables, enabling attackers to inject malicious code that executes before a script runs.

In a penetration testing scenario, an attacker can exploit Shellshock by sending specially crafted environment variables, often through HTTP headers like User-Agent or Referer. For instance, a malicious request might look like this:

curl -H "User-Agent: () { :; }; /bin/bash -c 'whoami'" http://victim.com/cgi-bin/test

This command forces Bash to execute the whoami command, revealing the user under which the web service is running. If the web service runs with elevated privileges, an attacker could gain full control of the server.

Penetration testers typically use tools like Nmap to identify vulnerable systems running CGI scripts with Bash. Once a vulnerable target is identified, they can inject payloads into HTTP headers and attempt to execute arbitrary commands on the server. If successful, penetration testers may escalate their privileges by exploiting other vulnerabilities, gaining higher access levels on the system.

Shellshock can also be exploited through other services, such as SSH or DHCP, if they pass environment variables to Bash. This makes the vulnerability widespread and highly dangerous, as it allows attackers to compromise a system remotely and escalate privileges.