I am having difficulty understanding Shellshock vulnerability validation
I got this while I was checking the Shellshock vulnerability :
host1:~$ env x='(){ :;}; echo vulnerable' bash -c "echo hello"
hello
host1:~$ env x='() { :;}; echo vulnerable' bash -c "echo hello"
vulnerable
hello
host1:~$
Strange, isn't it?
source to share
Bash recognizes an environment variable as a function if it starts with four characters () {
, including a space. Therefore, it is env x='(){ :;}; echo vulnerable'
not taken into account.
It doesn't quite match the syntax you use to define a function in bash
; inside bash
will store the string representation of the function in normalized form. If the function is exported (c export -f function_name
), then the normal form is added to the environment, and the child processes bash
recognize it as a function definition.
The "shellshock" error occurs because of the way it bash
handles recognized functions; buggy versions bash
(which go back a long way) simply evaluate the string from the environment as a function definition (by adding the variable name as the function name) that is susceptible to injection attack, as shown in the vulnerability test.
In manually creating strings that look like function bash
definitions for defining functions in child processes bash
is a well-known technique. Exporting functions and re-moving them is very common and often overlooked by the user. (For example, this method is used to pass bash functions to subshells starting with xargs bash -c
and find ... -exec bash -c
.)
source to share
bash
are a bit picky about what he thinks is inline function definition in the environment. In the first
env x='(){ :;}; echo vulnerable' bash -c "echo hello"}
not enough space between ()
and {
to prevent this bash
from being recognized as an exported function, so it remains a simple shell variable; to see, try running
env x='(){ :;}; echo vulnerable' bash -c 'echo $x'
In the second example, the value x
, with space, is created correctly to simulate the exported function, and so the child bash
evaluates the entire value x
to "import" the function, but also executes the code following the function definition.
source to share