8

I have a general idea about the Shellshock bash bug (CVE-2014-6271 reported Sep 24, 2014) of what the vulnerability is and how it could be exploited. Here you find examples on how to exploit the original bug CVE-2014-6271: What is a specific example of how the Shellshock Bash bug could be exploited?

Meanwhile, a patch is out on most major distributions which fixes the initial, although not the full, Shellshock vulnerability.

There is a patch that prevents bash from interpreting anything else than the function definition in there (https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00081.html), and that's the one that has been applied in all the security updates from the various Linux distributions.

However, bash still interprets the code in there and any bug in the interpreter could be exploited. One such bug has already been found (CVE-2014-7169) though its impact is a lot smaller. So there will be another patch coming soon.

CVE-2014-7169 appears to be less severe but is definitely still cause for concern. So how would an example exploit look like for this remaining bug?

Community
  • 1
rubo77
  • 2,350
  • 10
  • 26
  • 48
  • possible duplicate of [What is a specific example of how the shellshock bash bug could be exploited?](http://security.stackexchange.com/questions/68122/what-is-a-specific-example-of-how-the-shellshock-bash-bug-could-be-exploited) – Deer Hunter Sep 28 '14 at 18:10
  • 2
    @DeerHunter: This is definitely no duplicate, cause that is the question I read before: that question is about the initial bug CVE-2014-6271 and there is no example about exploiting the remaining bug CVE-2014-7169 after the path is applied – rubo77 Sep 28 '14 at 18:12
  • Shouldn't you be using the keyword "aftershock" in this question? Or is that a different post-patch vulnerability? – Ben Voigt Sep 28 '14 at 20:55
  • I was referring to taviso bug by [hannob's bashcheck script](https://github.com/hannob/bashcheck/issues/6) which might have an error? – rubo77 Sep 28 '14 at 21:07
  • related: [The correct way to check for vulnerability CVE-2014-7169 (aftershock)](http://security.stackexchange.com/q/68539) – rubo77 Sep 29 '14 at 06:35

1 Answers1

1

According to @taviso original post, the line

env X='() { (a)=>\' sh -c "echo date"; cat echo

is be sufficient to bring the shell to an inconsistent state. I tried it and after that, things are broken until you close that shell instance. Commands won't be interpreted correctly, parameters are treated like they are out of place unleashing incorrectly reported syntax errors, "man" shows an empty page, etc...

DarkLighting
  • 1,523
  • 11
  • 16