Revision as of 20:43, 30 April 2020 edit Matthiaspaul (talk \| contribs) Autopatrolled, Extended confirmed users, Page movers, New page reviewers, Pending changes reviewers, Rollbackers, Template editors 137,876 edits +CVE template ← Previous edit		Revision as of 18:32, 11 May 2020 edit undo DannyS712 bot (talk \| contribs) Bots 133,279 edits m Task 70: Update syntaxhighlight tags - remove use of deprecated <source> tags Tag: AWB Next edit →
Line 65: This original form of the vulnerability ({{CVE\|2014-6271}}) involves a specially crafted environment variable containing an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing commands when it imports the function.<ref name="nvd6271">{{cite web\|url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271\|title=Vulnerability Summary for CVE-2014-6271\|publisher=NIST\|date=4 October 2014\|accessdate=8 October 2014}}</ref> The vulnerability can be tested with the following command: <~~source~~syntaxhighlight lang="bash">env x='() { :;}; echo vulnerable' bash -c "echo this is a test"</~~source~~syntaxhighlight> In systems affected by the vulnerability, the above commands will display the word "vulnerable" as a result of Bash executing the command '''''"echo vulnerable"''''', which was embedded into the specially crafted environment variable named '''''"x"'''''.<ref name="zdnet-betterbash" /><ref>{{cite web\|url=https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\|title=Bash specially-crafted environment variables code injection attack\|work=Red Hat Security\|accessdate=2 October 2014}}</ref> Line 79: demonstrated in the following code: <~~source~~syntaxhighlight lang="bash"> env X='() { (a)=>\' bash -c "echo date"; cat echo </syntaxhighlight> ~~</source>~~ On a vulnerable system, this would execute the command "date" unintentionally.<ref name="qualys" /> Here is an example of a system that has a patch for CVE-2014-6271 but not CVE-2014-7169: <~~source~~syntaxhighlight lang="console"> $ X='() { (a)=>\' bash -c "echo date" bash: X: line 1: syntax error near unexpected token `=' Line 93: $ cat echo Fri Sep 26 01:37:16 UTC 2014 </syntaxhighlight> ~~</source>~~ The system displays syntax errors, notifying the user that CVE-2014-6271 has been prevented, but still writes a file named 'echo', into the working directory, containing the result of the 'date' call. Line 99: A system patched for both CVE-2014-6271 and CVE-2014-7169 will simply echo the word "date" and the file "echo" will ''not'' be created, as shown below: <~~source~~syntaxhighlight lang="console"> $ X='() { (a)=>\' bash -c "echo date" date $ cat echo cat: echo: No such file or directory </syntaxhighlight> ~~</source>~~ ===CVE-2014-7186=== Line 110: An example of the vulnerability, which leverages the use of multiple "<<EOF" declarations (nested [[Here document\|"here documents"]]): <~~source~~syntaxhighlight lang="bash"> bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' \|\| echo "CVE-2014-7186 vulnerable, redir_stack" </syntaxhighlight> ~~</source>~~ A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack". Line 120: An example of the vulnerability, which leverages the use of multiple "done" declarations: <~~source~~syntaxhighlight lang="bash"> (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) \| bash \|\| echo "CVE-2014-7187 vulnerable, word_lineno" </syntaxhighlight> ~~</source>~~ A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno". This test requires a shell that supports [[brace expansion]].<ref>{{cite web\|last1=Ramey\|first1=Chet\|title=Re: CVE-2014-7187\|url=http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00139.html\|website=lists.gnu.org}}</ref>

Shellshock (software bug): Difference between revisions