Why "() { :;};"?

Question

I was wanting to understand why the code below serves as a proof-of-concept for telling me whether my server is vulnerable or not. Moreover, how does the vulnerability work at lower-level?

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' 

So when I run the command below

bash -c "echo test"

I can get either (meaning I am vulnerable):

vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

or (meaning I am not vulnerable):

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

Answer 1

First of all, the command you execute would be:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

It all boils down to the way the vulnerability works. When bash exports functions, it does so through the environment, with a function x stored in either variable x or (after latest patch) BASH_FUNC_x.

bash code then detects that the value begins with '() {' and runs:

x () { :;}; echo vulnerable

(that is the environment entry with = replaced with a space) which is a function definition with : in the body (a do-nothing command). In a CVE-2014-6271 vulnerable bash, it would execute the function definition (up to the }), and then go on executing the rest of the code (the initial patch then made it not execute the rest of the code).