Can not exploit shellshock vulnerability for all files

Question

I have been trying to exploit the Shellshock vulnerability in my system and ran into an interesting problem. I have been using 'wget' to exploit the vulnerability. The command I am using is as follows:

wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" http://somesite.com/some-script.cgi

Using the above command, the vulnerability shows as expected. However, when I try to wget a file which is not a .cgi file, the vulnerability does not show up and only the file is downloaded.

From what I understand, wget should set the User-Agent string to the value passed in the command which should run the code /bin/cat /etc/passwd and I fail to see how this has anything to do with the nature of the file being downloaded.

Thanks in advance.

Answer 1

In order to exploit the shellshock bug, the following steps need to occur:

1. you must get the target server to inject a specific string into an environment variable, and

2. after setting the environment variable, the target must (directly or indirectly) launch (a vulnerable version of) the bash shell.

One way this can happen is when a web server executes an external program through the Common Gateway Interface (CGI), and the external program either is a bash shell script, or otherwise invokes bash. This happens because CGI protocol specifies that headers from the original HTTP request are passed to the external program in environment variables with the prefix HTTP_ (e.g. HTTP_USER_AGENT for the User-Agent header). Since the attacker can control those headers, they can also directly control the values of those environment variables.

However, the web server needs to set those environment variables only when invoking an external program via CGI. When delivering a static file, the server only needs to read that file from the disk and send it back to the client; it doesn't need to set any environment variables or invoke any external tools like bash.