This week marks a theme change from adversary emulation to CVE exploitation. Over the next 6 weeks we’ll release exploits that test whether a machine is exploitable to specific Linux CVEs. Each TTP will return an exit code of 0 (exploitable) or 1 (not exploitable) when executed. Read about our motivation.

This week, we are releasing the following TTPs:

• CVE-2014-6271

CVE-2014-6271: ShellShock

Find this attack on chains.prelude.org.

ShellShock is a vulnerability that allows arbitrary code to execute on a Linux computer. It does this by taking advantage of how Bash (a program found on most Linux machines) evaluates environment variables.

When a new terminal session is started the environment is read, including all variables that were previously set. Environment variables are useful because they let you set-and-forget common values (like passwords) or functions that you don’t want to run manually each time you load a terminal. Bash handles this by evaluating the variables when the session starts but not actually executing them as code.

Up until the ShellShock patch was rolled out (after Bash 4.3), environment variables could be exploited by adding arbitrary code immediately following the setting of any environment variable. This arbitrary code does execute when the terminal session is started.

This vulnerability was first discovered in 2014. It had been around for decades prior.

Testing

To test if you’re vulnerable, execute Operator’s ShellShock TTP on each Linux box in your environment. Yes, this TTP was patched long ago - but many environments are still running older Linux distributions (like Ubuntu 12.04) or have older versions of bash installed, flying under the radar.

Bash is an internal program that isn’t exposed to your perimeter testing (like vulnerability scanners) so you should test on the box - not just the perimeter.

Vulnerability scanners typically test CVEs by querying the exposed service running on the server. For example, if the server is running an HTTP service, it will craft specific HTTP headers with the malicious code to see if it executes. This will expose whether ShellShock can be exploited remotely - which is extremely dangerous - but keep in mind you should know if it is exploitable at all, remotely or otherwise.

Remediation

Upgrade Bash to the latest version.

Check it out on the Prelude chains website.

Watch a demonstration:

Get our products

Download Prelude Operator: https://www.prelude.org/download
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus
Octavia: https://twitter.com/VV_X_7
Sam: https://twitter.com/wasupwithuman