Revisions to What does env x='() { :;}; command' bash do and why is it insecure?

Corrected format of description

edit approved Jul 15, 2015 at 12:32

3.3k
18
45
66

There is apparently a vulnerability (CVE-2014-6271) in bash: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/Bash specially crafted environment variables code injection attack

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partially (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

patched output up to and including CVE-2014-7169:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

EDIT 3: story continues with:

There is apparently a vulnerability (CVE-2014-6271) in bash: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partially (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

patched output up to and including CVE-2014-7169:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

EDIT 3: story continues with:

There is apparently a vulnerability (CVE-2014-6271) in bash: Bash specially crafted environment variables code injection attack

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partially (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

patched output up to and including CVE-2014-7169:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

EDIT 3: story continues with:

added 218 characters in body

Source Link

edited Sep 29, 2014 at 5:58

jippie

14.6k
10
49
67

There is apparently a vulnerability (CVE-2014-6271) in bash: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partially (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

properly patchedpatched output up to and including CVE-2014-7169:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

EDIT 3: story continues with:

CVE-2014-7186,

CVE-2014-7187

CVE-2014-6277

There is apparently a vulnerability (CVE-2014-6271) in bash: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partially (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

properly patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

There is apparently a vulnerability (CVE-2014-6271) in bash: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partially (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

patched output up to and including CVE-2014-7169:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

EDIT 3: story continues with:

CVE-2014-7186,

CVE-2014-7187

CVE-2014-6277

added 2 characters in body

Source Link

edited Sep 28, 2014 at 7:33

jippie

14.6k
10
49
67

There is apparently a vulnerability (CVE-2014-6271) in bash: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partialpartially (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

properly patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

There is apparently a vulnerability (CVE-2014-6271) in bash: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partial (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

properly patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

There is apparently a vulnerability (CVE-2014-6271) in bash: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

EDIT 1: A patched system looks like this:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test

EDIT 2: There is a related vulnerability / patch: CVE-2014-7169 which uses a slightly different test:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

unpatched output:

vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test

partially (early version) patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test

properly patched output:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test

added 916 characters in body

Source Link

edited Sep 28, 2014 at 7:27

jippie

14.6k
10
49
67

Loading

Fixed title: function definition is part of the vulnerability; -c command is not.

Link

edit approved Sep 25, 2014 at 22:53

Brythan

123
3

Loading

Question Protected by Michael Mrozek

occurred Sep 25, 2014 at 17:16

added 250 characters in body

Source Link

edited Sep 25, 2014 at 6:28

jippie

14.6k
10
49
67

Loading

Retagging to make future queries easier.

Link

edit approved Sep 25, 2014 at 5:20

Deer Hunter

1.9k
3
20
26

Loading

Tweeted twitter.com/#!/StackUnix/status/514934759697301504

occurred Sep 25, 2014 at 0:29

edited title, mostly to remove backticks which don't work in titles

Link

edited Sep 24, 2014 at 20:23

Bananguin

8.2k
3
28
59

Loading

edited tags; edited title

Link

edited Sep 24, 2014 at 20:13

Braiam

37k
29
114
176

Loading

Source Link

asked Sep 24, 2014 at 20:02

jippie

14.6k
10
49
67

Loading

Stack Exchange Network

Return to Question