TTP Tuesday: Shell Shocked
Nearly a decade after discovery, ShellShock is still alive and well
This week marks a theme change from adversary emulation to CVE exploitation. Over the next 6 weeks we’ll release exploits that test whether a machine is exploitable to specific Linux CVEs. Each TTP will return an exit code of 0 (exploitable) or 1 (not exploitable) when executed. Read about our motivation.
This week, we are releasing the following TTPs:
Find this attack on chains.prelude.org.
ShellShock is a vulnerability that allows arbitrary code to execute on a Linux computer. It does this by taking advantage of how Bash (a program found on most Linux machines) evaluates environment variables.
When a new terminal session is started the environment is read, including all variables that were previously set. Environment variables are useful because they let you set-and-forget common values (like passwords) or functions that you don’t want to run manually each time you load a terminal. Bash handles this by evaluating the variables when the session starts but not actually executing them as code.
Up until the ShellShock patch was rolled out (after Bash 4.3), environment variables could be exploited by adding arbitrary code immediately following the setting of any environment variable. This arbitrary code does execute when the terminal session is started.
This vulnerability was first discovered in 2014. It had been around for decades prior.
To test if you’re vulnerable, execute Operator’s ShellShock TTP on each Linux box in your environment. Yes, this TTP was patched long ago - but many environments are still running older Linux distributions (like Ubuntu 12.04) or have older versions of bash installed, flying under the radar.
Bash is an internal program that isn’t exposed to your perimeter testing (like vulnerability scanners) so you should test on the box - not just the perimeter.
Vulnerability scanners typically test CVEs by querying the exposed service running on the server. For example, if the server is running an HTTP service, it will craft specific HTTP headers with the malicious code to see if it executes. This will expose whether ShellShock can be exploited remotely - which is extremely dangerous - but keep in mind you should know if it is exploitable at all, remotely or otherwise.
Upgrade Bash to the latest version.
Check it out on the Prelude chains website.
Watch a demonstration:
Get our products
Download Prelude Operator: https://www.prelude.org/download
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
Follow our team