Bash shellshock bug still working on latest Debian release.

Posted: February 11, 2017. At: 1:38 PM. This was 10 months ago. Post ID: 10255
Page permalink.
WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters. These cookies expire two weeks after they are set.

I am using Debian 8.0 and the bash shellshock bug still works. That is why I should use zsh instead. My home Fedora 25 machine uses the zsh shell and I do not have that problem at all. It is only the bash shell that has this vulnerability. This is very concerning, but I guess that the developers would need to change how bash runs scripts to prevent this. And that could break Linux systems that use a lot of scripts.

┌─[jason@neo][~]
└──╼ $env VAR1='me() {echo "hello"}\ ' /bin/touch /home/$LOGNAME/my.text

The code above is what I used to test this. The one-liner successfully created a new file in my home directory. This proves that the bug has not been fixed yet and is still an issue for Linux users. Hopefully this will be addressed in a patch eventually. Here is more information on this shellshock bug. http://securitronlinux.com/bejiitaswrath/a-variant-of-the-shellshock-bug-that-still-works-with-the-bash-4-3-11-shell/. This is quite serious, but you do not read anything about this anymore.

On my Debian 8.7 system, this still works.

X='() { (a)=>\' bash -c "echo date"

The file echo is created and this contains the text “Hello World”.

No comments have been made. Use this form to start the conversation :)

Leave a Reply