Dhclient Bash Environment Variable Injection (Shellshock)
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created.
Module Name
exploit/unix/dhcp/bash_environment
Authors
- Stephane Chazelas
- egypt <egypt [at] metasploit.com>
References
- AKA-Shellshock
- CVE-2014-6271
- CWE-94
- OSVDB-112004
- EDB-34765
- URL: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- URL: http://seclists.org/oss-sec/2014/q3/649
- URL: https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
Targets
- Automatic Target
Platforms
- unix
Architectures
- cmd
Reliability
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/unix/dhcp/bash_environment
msf exploit(bash_environment) > show targets
...targets...
msf exploit(bash_environment) > set TARGET <target-id>
msf exploit(bash_environment) > show options
...show and set options...
msf exploit(bash_environment) > exploit
Related Vulnerabilities
- Vulnerability in Bash on AIX with Toolbox
- Alpine Linux: CVE-2014-6271: bash Shellshock vulnerabilities allowing remote code execution
- Amazon Linux AMI: Security patch for bash (ALAS-2014-418) (CVE-2014-6271)
- OS X update for Bash (CVE-2014-6271)
- Cisco NX-OS: GNU Bash Environment Variable Command Injection Vulnerability (Multiple CVEs)
- GNU Bash Environment Variable Command Injection Vulnerability
- Cisco SAN-OS: GNU Bash Environment Variable Command Injection Vulnerability (Multiple CVEs)
- GNU Bash Environment Variable Command Injection Vulnerability
- DSA-3032-1 bash -- security update
- FreeBSD: bash -- remote code execution vulnerability (Multiple CVEs)
- Gentoo Linux: CVE-2014-6271: Bash: Code Injection
- CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands
- ELSA-2014-1293 Critical: Oracle Linux bash security update
- ELSA-2014-1294 Critical: Oracle Linux bash security update
- RHSA-2014:1293: bash security update
- RHSA-2014:1294: bash security update
- RHSA-2014:1295: bash Shift_JIS security update
- RHSA-2014:1354: rhev-hypervisor6 security update
- Oracle Solaris 11: CVE-2014-6271: Vulnerability in Bash
- Sun Patch: SunOS 5.10: bash patch
- Sun Patch: SunOS 5.10_x86: bash patch
- Sun Patch: SunOS 5.9: bash patch
- Sun Patch: SunOS 5.9_x86: bash patch
- Sun Patch: SunOS 5.8: bash patch
- Sun Patch: SunOS 5.8_x86: bash patch
- USN-2362-1: Bash vulnerability
Related Modules
- DHCP Client Bash Environment Variable Code Injection (Shellshock)
- OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
- Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
- Qmail SMTP Bash Environment Variable Injection (Shellshock)
- Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
- CUPS Filter Bash Environment Variable Code Injection (Shellshock)
- Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
- Advantech Switch Bash Environment Variable Code Injection (Shellshock)
- IPFire Bash Environment Variable Injection (Shellshock)