I don't get the root cause of shellshock bash bug such as CVE-2014-6271.
As far as I understand, shellshock happens if there is a malicious code inside the application packet header.
For example, if HTTP header includes http-header[Cookie] = () { :; }; ping 192.168.0.1 then it pings to 192.168.0.1.
However, HTTP header only needs to be set of string variables. Why does Apache ever run bash script?
Is Apache HTTP header parser composed of bash shell script?
Thank you! :)
Asked
Active
Viewed 381 times
0
John Doyle
- 898
- 2
- 9
- 22
1 Answers
2
C's system() function, used to execute an arbitrary external command, passes its argument to /bin/sh for parsing. (This is specified by POSIX.)
/bin/sh, on Linux systems, is commonly a symbolic link to /bin/bash.
If Apache invokes any external program via system(), and an attacker has been able to insert malicious code into any environment variable, it will be passed on to /bin/bash.
Keith Thompson
- 254,901
- 44
- 429
- 631
-
And bash will happily evaluate any variable that looks like an exported function (starts with `() {`), to import it as a function. Not stopping at the end of the function definition. – ninjalj Sep 30 '14 at 00:51
-
Which means bash does parse the header right? Ok Thanks a lot :) – John Doyle Sep 30 '14 at 01:00
-
@JohnDoyle: What "header"? Bash parses the contents of certain environment variables. – Keith Thompson Sep 30 '14 at 02:33
-
@KeithThompson OK, so apache would parse the HTTP header then set the environment via bash. I got the point – John Doyle Oct 08 '14 at 08:03