Vulnerabilities
By Date By Type Known Exploited Assigners CVSS Scores EPSS Scores Search
Vulnerable Software
Vendors Products Version Search
Metasploit Modules CWE Definitions
Articles Blog

Vulnerability Details : CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Vulnerability category: Execute code
Published 2014-09-24 18:48:04
Updated 2021-11-17 22:15:36
Source Debian GNU/Linux
View at NVD,   CVE.org
At least one public exploit which can be used to exploit this vulnerability exists!
CVE-2014-6271 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code.
Added on 2022-01-28 Action due date 2022-07-28

Exploit prediction scoring system (EPSS) score for CVE-2014-6271

Probability of exploitation activity in the next 30 days: 97.57%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2014-6271

  • Advantech Switch Bash Environment Variable Code Injection (Shellshock)
    Disclosure Date : 2015-12-01
    exploit/linux/http/advantech_switch_bash_env_exec
    This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98. Authors: - hdm <[email protected]>
  • IPFire Bash Environment Variable Injection (Shellshock)
    Disclosure Date : 2014-09-29
    exploit/linux/http/ipfire_bashbug_exec
    IPFire, a free linux based open source firewall distribution, version <= 2.15 Update Core 82 contains an authenticated remote command execution vulnerability via shellshock in the request headers. Authors: - h00die <[email protected]> - Claudio Viviani
  • Qmail SMTP Bash Environment Variable Injection (Shellshock)
    Disclosure Date : 2014-09-24
    exploit/unix/smtp/qmail_bash_env_exec
    This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH (Shellshock). This flaw works on the latest Qmail versions (qmail-1.03 and netqmail-1.06). However, in order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually [email protected]). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed. Authors: - Mario Ledo (Metasploit module) - Gabriel Follon (Metasploit module) - Kyle George (Vulnerability discovery)
  • Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
    Disclosure Date : 2014-09-24
    exploit/multi/http/apache_mod_cgi_bash_env_exec
    This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. Authors: - Stephane Chazelas - wvu <[email protected]> - juan vazquez <[email protected]> - lcamtuf
  • DHCP Client Bash Environment Variable Code Injection (Shellshock)
    Disclosure Date : 2014-09-24
    auxiliary/server/dhclient_bash_env
    This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Authors: - scriptjunkie - apconole <[email protected]> - Stephane Chazelas - Ramon de C Valle <[email protected]>
  • CUPS Filter Bash Environment Variable Code Injection (Shellshock)
    Disclosure Date : 2014-09-24
    exploit/multi/http/cups_bash_env_exec
    This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables. A valid username and password is required to exploit this vulnerability through CUPS. Authors: - Stephane Chazelas - lcamtuf - bcoles <[email protected]>
  • Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
    Disclosure Date : 2014-09-24
    exploit/multi/ftp/pureftpd_bash_env_exec
    This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the Pure-FTPd FTP server when it has been compiled with the --with-extauth flag and an external Bash script is used for authentication. If the server is not set up this way, the exploit will fail, even if the version of Bash in use is vulnerable. Authors: - Stephane Chazelas - Frank Denis - Spencer McIntyre
  • Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
    Disclosure Date : 2014-09-24
    auxiliary/scanner/http/apache_mod_cgi_bash_env
    This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead. Authors: - Stephane Chazelas - wvu <[email protected]> - lcamtuf
  • Dhclient Bash Environment Variable Injection (Shellshock)
    Disclosure Date : 2014-09-24
    exploit/unix/dhcp/bash_environment
    This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created. Authors: - Stephane Chazelas - egypt <[email protected]>
  • OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
    Disclosure Date : 2014-09-24
    exploit/osx/local/vmware_bash_function_root
    This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the VMWare Fusion application, allowing an unprivileged local user to get root access. Authors: - Stephane Chazelas - juken - joev <[email protected]> - mubix <[email protected]>

CVSS scores for CVE-2014-6271

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Source
10.0
 HIGH AV:N/AC:L/Au:N/C:C/I:C/A:C
10.0
10.0
 [email protected]
9.8
 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
 [email protected]

CWE ids for CVE-2014-6271

References for CVE-2014-6271

Products affected by CVE-2014-6271

This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close