I was wanting to understand why the code below serves as a proof-of-concept for telling me whether my server is vulnerable or not. Moreover, how does the vulnerability work at lower-level?
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable'
So when I run the command below
bash -c "echo test"
I can get either (meaning I am vulnerable):
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
or (meaning I am not vulnerable):
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test