Bash shellshock bug still working on latest Debian release.

Posted: February 11, 2017. At: 1:38 PM. This was 8 months ago. Post ID: 10255
Page permalink: http://securitronlinux.com/debian-testing/bash-shellshock-bug-still-working-on-latest-debian-release/

I am using Debian 8.0 and the bash shellshock bug still works. That is why I should use zsh instead. My home Fedora 25 machine uses the zsh shell and I do not have that problem at all. It is only the bash shell that has this vulnerability. This is very concerning, but I guess that the developers would need to change how bash runs scripts to prevent this. And that could break Linux systems that use a lot of scripts.

┌─[jason@neo][~]
└──╼ $env VAR1='me() {echo "hello"}\ ' /bin/touch /home/$LOGNAME/my.text

The code above is what I used to test this. The one-liner successfully created a new file in my home directory. This proves that the bug has not been fixed yet and is still an issue for Linux users. Hopefully this will be addressed in a patch eventually. Here is more information on this shellshock bug. http://securitronlinux.com/bejiitaswrath/a-variant-of-the-shellshock-bug-that-still-works-with-the-bash-4-3-11-shell/. This is quite serious, but you do not read anything about this anymore.

On my Debian 8.7 system, this still works.

X='() { (a)=>\' bash -c "echo date"

The file echo is created and this contains the text “Hello World”.

No comments have been made. Use this form to start the conversation :)

Leave a Reply