DHCP Client Bash Environment Variable Code Injection (Shellshock)
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution.
Module Name
auxiliary/server/dhclient_bash_env
Authors
- scriptjunkie
- apconole <apconole [at] yahoo.com>
- Stephane Chazelas
- Ramon de C Valle <rcvalle [at] metasploit.com>
References
- AKA-Shellshock
- CVE-2014-6271
- CWE-94
- OSVDB-112004
- EDB-34765
- URL: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- URL: http://seclists.org/oss-sec/2014/q3/649
- URL: https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
Actions
- Service
Reliability
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/server/dhclient_bash_env
msf auxiliary(dhclient_bash_env) > show actions
...actions...
msf auxiliary(dhclient_bash_env) > set ACTION <action-name>
msf auxiliary(dhclient_bash_env) > show options
...show and set options...
msf auxiliary(dhclient_bash_env) > run
Related Vulnerabilities
- GNU Bash Environment Variable Command Injection Vulnerability
- RHSA-2014:1294: bash security update
- OS X update for Bash (CVE-2014-6271)
- ELSA-2014-1293 Critical: Oracle Linux bash security update
- RHSA-2014:1293: bash security update
- Sun Patch: SunOS 5.8: bash patch
- Cisco SAN-OS: GNU Bash Environment Variable Command Injection Vulnerability (Multiple CVEs)
- FreeBSD: bash -- remote code execution vulnerability (Multiple CVEs)
- Sun Patch: SunOS 5.10_x86: bash patch
- Sun Patch: SunOS 5.9: bash patch
- Alpine Linux: CVE-2014-6271: bash Shellshock vulnerabilities allowing remote code execution
- GNU Bash Environment Variable Command Injection Vulnerability
- Oracle Solaris 11: CVE-2014-6271: Vulnerability in Bash
- RHSA-2014:1295: bash Shift_JIS security update
- ELSA-2014-1294 Critical: Oracle Linux bash security update
- Cisco NX-OS: GNU Bash Environment Variable Command Injection Vulnerability (Multiple CVEs)
- Sun Patch: SunOS 5.8_x86: bash patch
- Vulnerability in Bash on AIX with Toolbox
- USN-2362-1: Bash vulnerability
- Sun Patch: SunOS 5.10: bash patch
- CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands
- DSA-3032-1 bash -- security update
- RHSA-2014:1354: rhev-hypervisor6 security update
- Amazon Linux AMI: Security patch for bash (ALAS-2014-418) (CVE-2014-6271)
- Sun Patch: SunOS 5.9_x86: bash patch
Related Modules
- Dhclient Bash Environment Variable Injection (Shellshock)
- OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
- Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
- Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
- CUPS Filter Bash Environment Variable Code Injection (Shellshock)
- Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
- Advantech Switch Bash Environment Variable Code Injection (Shellshock)
- IPFire Bash Environment Variable Injection (Shellshock)