Questions tagged [shellshock-bash-bug]

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

For more information, see CVE-2014-6271 and CVE-2014-7169

40 questions
56
votes
4 answers

Is the behavior behind the Shellshock vulnerability in Bash documented or at all intentional?

A recent vulnerability, CVE-2014-6271, in how Bash interprets environment variables was disclosed. The exploit relies on Bash parsing some environment variable declarations as function definitions, but then continuing to execute code following the…
kojiro
  • 74,557
  • 19
  • 143
  • 201
19
votes
1 answer

How do you fix the Shellshock vulnerability on Debian 6.0 (Squeeze)?

How do you fix the Shellshock Bash vulnerability on Debian 6.0 (Squeeze)?
batflaps
  • 661
  • 1
  • 5
  • 6
18
votes
0 answers

Shellshock vulnerability, CVE-2014-7169

This ycombinator thread states that env X='() { (a)=>\' sh -c "echo date" allows you to drop the first token, and then run the result, sending the output to the dropped token. I can see that the magic is in the () { (a)=>\' part, but this is quite…
John Powell
  • 12,253
  • 6
  • 59
  • 67
12
votes
2 answers

How does CVE-2014-7169 work? Breakdown of the test code

With a bash release which has been patched for shellshock $ bash --version GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin12) Copyright (C) 2007 Free Software Foundation, Inc. $ env x='() { :;}; echo vulnerable' bash -c "echo this is a…
user193130
  • 8,009
  • 4
  • 36
  • 64
5
votes
2 answers

Regression: Exported Bash function lost after going through another process

When moving from Ubuntu 14.04 to 16.04, I've noticed several of my Bash scripts failing due to missing exported functions. I wonder whether this is related to the fixes for the Shellshock bug, even though I simply export -f the functions, and not…
Ingo Karkat
  • 167,457
  • 16
  • 250
  • 324
5
votes
2 answers

Set a Bash function on the environment

I need to define a Bash function in the Bash environment from a C/C++ program. Before the shellshock bug, I could define a function in this way: my_func='() { echo "This is my function";}' Or equivalent from a C program: setenv("my_func", "() {…
JoseLSegura
  • 3,830
  • 3
  • 20
  • 27
4
votes
1 answer

Can someone explain the Shell Shock Bash code?

I am having problems understanding the following code, which is the Shell Shock 'proof of vulnerability' code. Can someone explain it to me? Specially, this part "() { :;};" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
zahid adeel
  • 123
  • 4
3
votes
2 answers

I'm having difficulty understanding the Shellshock vulnerability verification

I got this while I was checking for the Shellshock vulnerability: host1:~$ env x='(){ :;}; echo vulnerable' bash -c "echo hello" hello host1:~$ env x='() { :;}; echo vulnerable' bash -c "echo hello" vulnerable hello host1:~$ Weird huh?
Marcel
  • 1,266
  • 7
  • 18
3
votes
0 answers

What is a specific example of how the Shellshock Bash bug could be exploited?

I read some articles (article1, article2, article3) about the Shellshock Bash bug (CVE-2014-6271 reported Sep 24, 2014) and have a general idea of what the vulnerability is and how it could be exploited. To better understand the implications of the…
Rob Bednark
  • 25,981
  • 23
  • 80
  • 125
3
votes
1 answer

with Ansible and apt, how do I update bash to for the remotely exploitable security vulnerability CVE-2014-6271?

Given bash's remote code execution vulnerability announced on Sept 24 2014, how can I update my apt-based systems using Ansible?
tedder42
  • 23,519
  • 13
  • 86
  • 102
2
votes
1 answer

Shellshock - Response of URL having CGI extension

Why do we always check for 500 response in shellshock exploitable request why not 200, 301 or others? conn.request("GET", path, headers=headers) res = conn.getresponse() if res.status == 500: print "Shell Shock Exploitable"
Hassan Anwer
  • 347
  • 2
  • 14
2
votes
1 answer

Can not exploit shellshock vulnerability for all files

I have been trying to exploit the Shellshock vulnerability in my system and ran into an interesting problem. I have been using 'wget' to exploit the vulnerability. The command I am using is as follows: wget -U "() { test;};echo \"Content-type:…
Rabee
  • 637
  • 5
  • 19
2
votes
0 answers

Upgrade bash,but bash --version no change,why

For Shellshock issue I upgrade bash on redhat 4,5 use the follow steps check bash version root@aaaA:/usr/src/redhat/RPMS/x86_64>bash --version GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu) Copyright (C) 2005 Free Software…
2
votes
2 answers

Shellshock - why is the injection of environment variables allowed?

There are 2 things I don't understand about the shellshock vulnerability: Why is the injection of environment variables allowed to unverified connections? What is that good for? What actual services provide the ability to inject variables? Any…
noamelf
  • 53
  • 2
  • 8
2
votes
1 answer

Shellshock Bash bug preload workaround

The RedHat had a workaround for the Shellshock vulnerability that involves a preload library. The URL for the workaround source code is available at bash_ld_preload.c. But the workaround steps seem to have gone missing now. Was this a bad solution…
rvh
  • 135
  • 1
  • 7
1
2 3