env x='() { :;}; echo vulnerable' bash -c "echo this is a test"- http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#Initial_report_.28CVE-2014-6271.29
This vulnerability has potentially existed for decades, but was discovered in September of 2014. It works by essentially confusing the Bash parser into executing more code than it should. An attacker can set an environment variable to be a function, but then append more code after the function that in theory should not be executed or should result in an error.
In the example above, Bash interprets x as an exported function definition. It thinks that somebody defined
x = () { ...
which would then be stored as an environment variable
env x = '() { ...
When a new Bash instance starts, it executes any environment variables in that format, as they are supposed to be exported function definitions. At this point, a vulnerable version of Bash does not check whether x is actually a valid function, but instead executes the entire line regardless, which might contain malicious code of some kind. In the test above, the "malicious code" is simply echo vulnerable. So, if an attacker is able to arbitrarily set the contents of some environment variable on your system, then they are capable of executing arbitrary code.
There were several other related vulnerabilities that were soon discovered after this one was ostensibly patched, but all relate to faulty handling of exported function definitions in environment variables.
No comments:
Post a Comment