Shellshock Bash Bug Complete List of Vulnerabilities by Red Lizzrd

Shellshock aka Bash Bug  was discovered just one week back and its growing day by day. Most of  researchers are aware of just two vulnerabilities related to shellshock or bash bug i.e. CVE-2014-6271 and CVE-2014-7169. But my friends there are lot more vulnerabilities that come under the scope of . Today i will share complete list of vulnerabilities which are related to Shellshock bash bug. In our previous two articles, we have learned about basics of  i.e.bash vulnerability and how to patch those. Today we will learn how to test all vulnerabilities related to Shellshock aka .
 
Shellshock Bash Bug Complete List of Vulnerabilities by Hackingloops
Shellshock Bash Bug Complete List of Vulnerabilities and Test String
 
 
 
Complete list of Shellshock bash bug vulnerabilities and how to test that you are vulnerable to them:
 

CVE-2014-6271:

 
Overview: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
 
Testing CVE-2014-6271 that you are vulnerable or not. Open bash prompt and run the below command:
 
env X='() { :; }; echo “CVE-2014-6271 vulnerable”‘ bash -c id
If you get “CVE-2014-6271 vulnerable” then it means you are vulnerable, if you get bash error that means your version of bash is not vulnerable.
 
Impact: Network exploitable, no authentication required for running the exploit, allows unauthorized disclosure of information, allows unauthorized modification and even allows Distributed DOS attack.
Complete details of CVE-2014-6271 vulnerability : NIST
 

CVE-2014-7169 :

Overview: GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
Testing CVE-2014-7169 that you are vulnerable or not. Open bash prompt and run the below command:
env X='() { (a)=>’ bash -c “echo date”; cat echo
If you are vulnerable to CVE-2014-7169, then it will create a file named echo in cwd with date in it.
Impact: Network exploitable, no authentication required for running the exploit, allows unauthorized disclosure of information, allows unauthorized modification and even allows Distributed DOS attack.
Complete details of CVE-2014-7169 vulnerability : NIST

CVE-2014-6277 :

Overview: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
How to test you are vulnerable to CVE-2014-6277 or not. Just test the following code in shell:
foo='() { echo CVE-2014-6277 Vulnerable; }’ bash -c foo
If you get “CVE-2014-6277 Vulnerable” then it means you are vulnerable.
This vulnerability causes an attempt to access uninitialized memory leading to reads from, and then subsequent writes to, a pointer that is fully within attacker’s control. Basically untrusted pointer use issue leading to remote code execution.
Impact: Network exploitable, no authentication required for running the exploit, allows unauthorized disclosure of information, allows unauthorized modification and even allows Distributed DOS attack.
Complete details of CVE-2014-6277 vulnerability : NIST

CVE-2014-6278 :

Overview: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
Red Hat believes that changes introduced via updates RHSA-2014:1306, RHSA-2014:1311, and RHSA-2014:1312 that prevent Bash from defining new functions based on arbitrary environment variables sufficiently mitigate this issue.
The underlying parser flaw has not yet been disclosed and might still exist in latest released bash packages. However Florian Weimer’s variables-affix.patch patch applied in Debian prevents exploitation of this issue by making bash only use environment variables with specific names (BASH_FUNC_*()) to define functions from its environment.
How to test you are vulnerable to CVE-2014-6277 or not. Just test the following code in shell:
foo='() { echo CVE-2014-6278 Vulnerable; }’ bash -c foo

If you get “CVE-2014-6278 Vulnerable” then it means you are vulnerable.  In order to patch this Florian patch is available online.
Complete details of CVE-2014-6278 vulneraiblity : NIST

CVE-2014-7186 :

Overview: The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the “redir_stack” issue.
How to test you are vulnerable to CVE-2014-7186 or not. Just test by running below string in shell:
bash -c ‘true <
If you get “CCVE-2014-7186 Vulnerable” then you are vulnerable to this.
Impact: Network exploitable, no authentication required for running the exploit, allows unauthorized disclosure of information, allows unauthorized modification and even allows Distributed DOS attack.
Complete details of CVE-2014-7286 vulnerability : NIST

CVE-2014-7187 :

Overview: Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the “word_lineno” issue.
How to test you are vulnerable to CVE-2014-7186 or not. Just test by running below string in shell:
(for x in {1..200} ; do echo “for x$x in ; do :”; done; for x in {1..200} ; do echo done ; done) | bash || echo “CVE-2014-7187 vulnerable, word_lineno”
If you get “CVE-2014-7187 Vulnerable” then it means you are vulnerable to this bug.
Impact: Network exploitable, no authentication required for running the exploit, allows unauthorized disclosure of information, allows unauthorized modification and even allows Distributed DOS attack.
Complete details of CVE-2014-7286 vulnerability : NIST
Recommended Articles related to Bash Bug or Shellshock vulnerability:
1. SHELLSHOCK BASH BUG IN LINUX, UNIX, MAC OS X TUTORIAL AND PATCH
 
2.  HOW TO FIX SHELLSHOCK BASH VULNERABILITY TUTORIAL
 
 

That’s all for today. In my later articles we learn more about Proof of concept of all vulnerabilities related to Shellshock Bash bug. So keep connected and keep learning.