Shellshock is a vulnerability that affects all operating systems (Linux and Unix based) that allows an attacker to gain complete access to a victim’s computer. This vulnerability targets the bash present in the operating system. Bash is a command language interpreter. The attacker sends malicious environment variable to the bash of the web server deployment. The environment variable controls the output of the processes on the system. This bug allows an attacker to exploit any vulnerable versions of Bash to execute any custom commands and will also allow him to gain unauthorised access to a computer system.
The attacker makes a remote connection to the server. The attacker sends requests to the server to make the malicious environment variable to the bash. The attacker usually uses CGI to make requests using the environment variable. As the server uses bash to interpret the variable, the attacker will be able to successfully launch the attack.
GET http://example.beaglesecurity.com/cgi-bin/beaglesecurity.cgi HTTP/1.1
User-Agent: AppFabs
Host: shellshock.appfabs.com
Referer: () { :;}; echo "NS:" $(</etc/passwd)
The impact include:-
This vulnerability can be fixed by:-