Main Vulnerability Database Exploits ID:8697 - Exploit for Command injection in Bash - CVE-2014-6271

ID:8697 - Exploit for Command injection in Bash - CVE-2014-6271

Published: December 26, 2022

Vulnerability identifier: #VU5295

Vulnerability risk: Critical

CVE-ID: CVE-2014-6271

CWE-ID: CWE-77

Exploitation vector: Remote access

Vulnerable software:
Bash

Link to public exploit:

https://github.com/b4keSn4ke/CVE-2014-6271

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Exploitation example:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Note: this vulnerability was being actively exploited in the wild.

Remediation

Update GNU Bash to version 4.3 bash43-027.

ID:8697 - Exploit for Command injection in Bash - CVE-2014-6271

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human