Shellshock Bash Bug

Shellshock Bash Bug

Everyone’s probably heard of the Shellshock Bash bug by now, which was announced with CVE-2014-6271 on September 24, 2014.  According to the announcement:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.”

So what does this mean? Simply put, there is a flaw in how Bash processes function definitions.  After a function is defined, evaluation does not stop at the end of the function definition, Bash keeps evaluating code.  Here’s a sample payload that you can test your environment:

env x='() { :;}; echo Vulnerable' bash -c :

When you normally define a function, the function itself is not executed until called.  In this example, we simply define a function that does nothing.  Bash finishes evaluating the function but continues evaluating code.  In this case, it prints “Vulnerable” to the shell if the system is vulnerable.  Matthew Miller at the Fedora Magazine has a great post that outlines exactly how this vulnerability works, read his article here.  You can find the code I used in the demo on Github:



Leave a Reply