-6

i recently came across the shellshock bug, which is a bug in the bash shell. somehow it uses the env command to create environment variables containing functions.

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

These functions then run when a new bash shell is spawned. i read at many places and got the same explanation that i just wrote. But i still cannot make out the working of the above command along with its parameters. can anyone explain?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Haris
  • 12,120
  • 6
  • 43
  • 70
  • @ralph Considering the publicity & panic surrounding “shellshock” you should assume discussion is already happening on the topic. – Giacomo1968 Sep 25 '14 at 19:47
  • @JakeGould: i read the posts and discussion through the internet, cudnt find a thorough explanation – Haris Sep 25 '14 at 19:50
  • `man env`? It's just a way to trigger the bug; knowing how `env` works isn't going to explain how the exploit itself works. – chepner Sep 25 '14 at 19:51
  • Arguably, a better duplicate would be [Exactly what does `env` do in Bash?](http://stackoverflow.com/questions/12691461/exactly-what-does-env-do-in-bash). – Jonathan Leffler Sep 26 '14 at 05:54

1 Answers1

1

env sets one or more environment variables and then runs the remaining arguments as a command.

It's not significantly different from the following syntax:

x='() { :;}; echo vulnerable' bash -c "echo this is a test"

One thing env can do (although the feature is not used in the above example) is create a clean environment; if the first option to env is a single - (or -i), then the environment is cleaned before doing the explicit assignments and running the command.

rici
  • 234,347
  • 28
  • 237
  • 341
  • Is that the only difference between using env and not using it (i.e. ability to start with a blank environment)? – Jeremy Jan 27 '16 at 14:03
  • @jeremy: normally, yes. `env` is often used in a shebang lines (`#!/bin/env ...`) because it searches `PATH` for the executable, but that only matters in places where `PATH` is not searched. – rici Jan 27 '16 at 14:31
  • I should add that PATH is not searched in shebang lines for a good reason and the "workaround" is not a good idea IMHO. But that is way out if scope here. – rici Jan 27 '16 at 14:33