Shellshock Summary


Twenty-five year old security flaw CVE-2014-6271 found in all versions of bash.
"The behavior is implemented as a hack involving specially-formatted environmental variables: in essence, any variable starting with a literal "() {" will be dispatched to the parser just before executing the main program. You can see this in action here:
$ foo='() { echo "hi mom"; }' bash -c 'foo'hi mom


  • 2014-09-25 14:55:22 Experiments indicate that putting anything in front of the (), like a name for the function or the keyword function, disable the flawed behavior
  • 2014-10-04 05:02:11 Calling bash from ash still passes all the commands in the variable(s)


No comments :