Subgraph Vega module for Bash Environment Variable OS Command Injection Vulnerability (CVE-2014-6271)

Today, a critical and trivially remotely exploitable vulnerability was announced in bash. To help users of our Vega web application scanner to identify this vulnerability, we have a released a basic standalone module to detect this vulnerability in web applications.

The module works by injecting test cases into certain HTTP header values as well as any web application form/query parameters. This should be adequate to detect this vulnerability in CGI setups where HTTP header values are turned into bash environment variables while also detecting cases where user-supplied input is passed through functions that spawn subshells such as system(), exec(), popen() in various languages. We will refine the module as more information becomes available and we are able to test it more.

This module is a good example of the power of Vega to quickly create proofs-of-concept in Javascript using the module API.

The module can be obtained here. It can be installed simply by adding it to the ‘vega/scripts/scanner/modules/injection/’ directory.

If you are not a Vega user, you can download it here or build it from source. We will soon bundle this module into our release tarball.

Due to the seriousness of this vulnerability, we also strongly advise everybody to install patches immediately.