2

I was wanting to understand why the code below serves as a proof-of-concept for telling me whether my server is vulnerable or not. Moreover, how does the vulnerability work at lower-level?

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' 

So when I run the command below

bash -c "echo test"

I can get either (meaning I am vulnerable):

vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

or (meaning I am not vulnerable):

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
Chris Murray
  • 1,275
  • 11
  • 17
James
  • 21
  • 1
  • 6
    You can read the answer of Stephane (who discovered the bug) http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495 – Jeremy Oct 02 '14 at 12:16
  • Another great read: http://security.stackexchange.com/questions/68168/is-there-a-short-command-to-test-if-my-server-is-secure-against-the-shellshock-b/68177#68177 – Karl Hardr Oct 02 '14 at 14:35

1 Answers1

2

First of all, the command you execute would be:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

It all boils down to the way the vulnerability works. When bash exports functions, it does so through the environment, with a function x stored in either variable x or (after latest patch) BASH_FUNC_x.

bash code then detects that the value begins with '() {' and runs:

x () { :;}; echo vulnerable

(that is the environment entry with = replaced with a space) which is a function definition with : in the body (a do-nothing command). In a CVE-2014-6271 vulnerable bash, it would execute the function definition (up to the }), and then go on executing the rest of the code (the initial patch then made it not execute the rest of the code).

Ángel
  • 17,578
  • 3
  • 25
  • 60