Shellshock Summary

DESCRIPTION

Twenty-five year old security flaw CVE-2014-6271 found in all versions of bash.
Per http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

"The behavior is implemented as a hack involving specially-formatted environmental variables: in essence, any variable starting with a literal "() {" will be dispatched to the parser just before executing the main program. You can see this in action here:

$ foo='() { echo "hi mom"; }' bash -c 'foo'hi mom

NOTES

• 2014-09-25 14:55:22 Experiments indicate that putting anything in front of the (), like a name for the function or the keyword function, disable the flawed behavior
• 2014-10-04 05:02:11 Calling bash from ash still passes all the commands in the variable(s)

RESOURCES

• CVE-2014-6271
• http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
• http://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-bug-introduced-and-what-is-the-patch-th?rq=1
• http://unix.stackexchange.com/questions/157329/what-does-env-x-something-bash-c-command-do-and-why-is-it-insecure
• http://www.engadget.com/2014/09/24/bash-shell-security-flaw/