Slingshot Orbit of Technology

DHCP bash shellshock POC:

1) Just about any DHCP string value should work for the exploit.

Value 114 is URL, which is a string and should be reliable for use

2) start a DHCP server on the network and set the string value for 114 to:
() { ignored;}; echo ‘foo’

Replace the portion of the string “echo ‘foo’” with whatever command you want the client to execute. Keep in mind most clients will run dhcp hook scripts as root, but may not have a full environment defined in terms of PATH variables etc.

3) Test on client by trigging a DHCP address renew, this would normally happen to victims when the interface comes up.

SOURCE: https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

“Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.”

In many common configurations, this vulnerability is exploitable over the network.

This vulnerability is actually really bad and you want to patch any Internet-facing systems ASAP! It allows remote, unauthenticated attackers to run code on vulnerable systems. It scores a 10 on the NVD severity scale: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

The good news is that it’s an easy fix:

Debian (Ubuntu, etc.):

sudo apt-get update
sudo apt-get upgrade bash

RHEL (Fedora, CentOS, etc.):

sudo yum update bash

Please refer to your operating system vendor’s instructions, for example:

• Ubuntu Linux: http://www.ubuntu.com/usn/usn-2362-1/
• Debian Linux: https://www.debian.org/security/2014/dsa-3032
• RedHat Linux: https://access.redhat.com/articles/1200223
• Amazon Linux: https://alas.aws.amazon.com/ALAS-2014-418.html

via: http://seclists.org/oss-sec/2014/q3/649