Lab 3: Shellshock Attack

Due Sunday October 2nd

Overview

On September 24, 2014, a severe vulnerability in bash was identified. Nicknamed Shellshock, this vulnerability can exploit many systems and be launched either remotely or from a local machine. In this lab, students will work on this attack to better understand the Shellshock vulnerability. The learning objective of this lab is for students to get first-hand experience with this interesting attack, understand how it works, and think about more general lessons that we can take aware from this attack. The first version of this lab was developed on September 29, 2014, just five days after the attack was reported. This lab covers the following topics:

• Shellshock
• Environment variables
• Function definitions in bash
• Apache and CGI programs

Setup

You will use a docker image to create a mock web server to attack. There are a few steps for setting this up, but using the docker container is required. You will not be able to complete this lab if you do not successfully set up the docker container. The instructions for downloading, creating, and running a docker container are at the beginning of the instructions.

Instructions

For this lab, you will likely be copying-and-pasting commands from these instructions. Copying from PDFs can be glitchy sometimes, so I have assembled the instructions as a GitHub README which will make copying commands much easier. A PDF version of the instructions can also be found below, if your prefer that way.

• Lab 3 instructions (GitHub): https://github.com/reesep/csci476-code/tree/master/02_shellshock/lab
• Lab 3 instructions (PDF): https://www.cs.montana.edu/pearsall/classes/fall2022/476/labs/Lab3-Shellshock.pdf

Follow the instructions above and complete the tasks in your SEED Labs VM. Your solutions/output/observations will all be put into a lab report. See the next sections for the lab report.

Lab report expectations

The lab report is to help me see that you did the lab and followed the instructions. For each task, you should include a screenshot to show you completed the task. If the task asks you to write down observations, you should also include those in your lab report. For the tasks that requires you to do some thinking and find ways to exploit a program, you should write a brief description about your approach and the steps you took to get your output.

This is a lab report taken from a previous offering of this course. This is a good example of how you should format your lab report: https://www.cs.montana.edu/pearsall/classes/fall2022/476/labs/SampleLabReportFormat.pdf