CVE-2014-6271

9.8
9.8 / 10
CRITICAL

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Weakness: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Published: 2014-09-24

Community Advisory

This section is open source, for any additional information that enhances or clarifies the official advisory above.

Improve Advisory

CVE-2014-6271 Exploits (77)

Show all exploits (+67):

CVE-2014-6271 Vulnerable Docker Environment

Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.

Get Vulhub Docker

Shellshock Remote Command Injection (CVE-2014-6271)

Build and run the vulnerable environment´╝Ü

docker-compose build
docker-compose up -d

When you visit http://your-ip/ you should see two files:

  • safe.cgi
  • victim.cgi

safe.cgi generated by the latest version of bash, and victim.cgi is the page generated by bash4.3 which is vulnerable to shellshock.

We can send include our payload in the user-agent string when visiting victim.cgi and the command is executed successfully:

The same request sent to safe.cgi is unaffected:

Research Labs

Official CVE References

View references (169)