CVE-2014-6271, CVE-2014-7169: remote code execution in Bash

    Details about the vulnerability in Bash were posted today.
    In short, Bash allows you to export functions as environment variables:

    $ myfunc() { echo "Hello"; }
    $ export -f myfunc
    $ env | grep -A1 ^myfunc
    myfunc=() {  echo "Hello"

    The vulnerability is that if after the function body (after the last character "}") you add another command and export it, it will be executed when the child interpreter is called:

    $ env x='() { :; }; echo "Oh..."' /bin/bash -c /sbin/nologin
    This account is currently not available.

    This, in turn, allows you to do interesting things - for example, if you have a CGI script in Perl that calls Bash - the attacker can construct an HTTP package that will contain malicious code. This code through environment variables gets into Bash - and will be executed.

    All versions of Bash are vulnerable, starting with bash-1.14 (information from ).
    In certain circles, the vulnerability was nicknamed “Bashdoor,” which is not surprising.

    More details can be easily google by CVE ID.

    UPD 2014-09-24: Some “Hindu” security blogs attribute “privilege escalation” to the name of the vulnerability. This is not true - no privilege escalation, the code is executed with the rights of the same user, under which the "parent" shell runs.
    On Twitter, the vulnerability has been dubbed shellshock.

    UPD 2014-09-25: the fix for CVE-2014-6271 was incomplete, the new vulnerability was assigned the identifier CVE-2014-7169. Details are in the comments to the post.

    UPD 2014-09-26: Fix for CVE-2014-7169 is available in the repositories of the main distributions. Red Hat Product Security has posted a small FAQ on its blog.

    Also popular now: