18

This ycombinator thread states that

env X='() { (a)=>\' sh -c "echo date"

allows you to drop the first token, and then run the result, sending the output to the dropped token. I can see that the magic is in the () { (a)=>\' part, but this is quite a hard thing to search for, so it would be great if someone could explain the inner workings.

In the linked possible duplicate question, a variable is exported to an environment variable by using,

env X="() { :;} ;

which really is not the same as 

env X='{ (a)=>\'

which is the part I am trying to understand the workings off. So, what do the (a) and =>\' parts do? Clearly, it is doing something very similar, but is different in that it got around the first patch to this vulnerability, see comments by chepner.

Avery
  • 2,270
  • 4
  • 33
  • 35
John Powell
  • 12,253
  • 6
  • 59
  • 67
  • http://unix.stackexchange.com/q/157329/31347 http://stackoverflow.com/q/26052189/251311 – zerkms Sep 28 '14 at 09:42
  • Yes, all distros are aware and most have patched versions available. If you cannot use your distro's update, then build bash from source (see: http://www.gnu.org/software/bash/). You may also need to update `readline` to support the current bash. (`readline 6.3` required) – David C. Rankin Sep 28 '14 at 09:42
  • 1
    @zerkms Neither of your links explains the more complicated attack in this question, which works even with the initial Shell Shock patch. – chepner Sep 28 '14 at 12:43
  • 5
    I made a (rather feeble) attempt at explaining this example at http://stackoverflow.com/q/26041934/1126841. – chepner Sep 28 '14 at 12:45
  • @chepner. Thanks for that and noting that my question relates to the newer attack -- the fact that it remains unanswered (at least fully) suggests there is something very clever and evil here. – John Powell Sep 28 '14 at 14:47
  • 1
    You can see patches to address this vector as well at ftp.bash.org as well. They don't appear to be widely deployed yet (blame the weekend); the hole they patch is a just a little harder to explain than simply "blindly evaluates the entire value". In a nutshell, though, the problem involves a lookahead failure in the parser. – chepner Sep 28 '14 at 15:08
  • @CharlesDuffy. Thanks. The edit to that other question, where the OP asks about env X='() { (a)=>\' has not been answered yet, whereas the original question has. As such, I think there is some validity to leaving this question open. – John Powell Sep 28 '14 at 16:40
  • @JohnBarça, yes, the one it's a duplicate of hasn't been answered, but why would having two unanswered duplicate questions unanswered and open be better than one? – Charles Duffy Sep 28 '14 at 18:13
  • 1
    Duplicate of http://stackoverflow.com/q/26041934/539394 which has an answer. – Ross Oct 31 '14 at 06:01

0 Answers0