![](http://habrastorage.org/getpro/habr/avatars/08a/9a9/25c/08a9a925c9f4872cf35f0c33164be2c5.jpg)
CVE-2014-6271, CVE-2014-7169: remote code execution in Bash
![image](https://habrastorage.org/getpro/habr/post_images/058/855/d61/058855d61e18ed48cc25d5ea2d377d65.jpg)
Details about the vulnerability in Bash were posted today.
In short, Bash allows you to export functions as environment variables:
$ myfunc() { echo "Hello"; }
$ export -f myfunc
$ env | grep -A1 ^myfunc
myfunc=() { echo "Hello"
}
The vulnerability is that if after the function body (after the last character "}") you add another command and export it, it will be executed when the child interpreter is called:
$ env x='() { :; }; echo "Oh..."' /bin/bash -c /sbin/nologin
Oh...
This account is currently not available.
This, in turn, allows you to do interesting things - for example, if you have a CGI script in Perl that calls Bash - the attacker can construct an HTTP package that will contain malicious code. This code through environment variables gets into Bash - and will be executed.
All versions of Bash are vulnerable, starting with bash-1.14 (information from shellshocker.net ).
In certain circles, the vulnerability was nicknamed “Bashdoor,” which is not surprising.
More details can be easily google by CVE ID.
UPD 2014-09-24: Some “Hindu” security blogs attribute “privilege escalation” to the name of the vulnerability. This is not true - no privilege escalation, the code is executed with the rights of the same user, under which the "parent" shell runs.
On Twitter, the vulnerability has been dubbed shellshock.
UPD 2014-09-25: the fix for CVE-2014-6271 was incomplete, the new vulnerability was assigned the identifier CVE-2014-7169. Details are in the comments to the post.
UPD 2014-09-26: Fix for CVE-2014-7169 is available in the repositories of the main distributions. Red Hat Product Security has posted a small FAQ on its blog.