2014-09-24 17:03:19 +0200, door Florian Weimer: Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes.
Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment.
The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. For example, an environment variable setting of
VAR=() { ignored; }; /bin/id
will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)
The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.
So far, HTTP requests to CGI scripts have been identified as the major attack vector.A typical HTTP request looks like this:
GET /path?query-param-name=query-param-value HTTP/1.1
Host: www.example.com
Custom: custom-header-value
The CGI specification maps all parts to environment variables. With Apache httpd, the magic string “() {” can appear in these places:
* Host (“www.example.com”, as REMOTE_HOST)
* Header value (“custom-header-value”, as HTTP_CUSTOM in this example)
* Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)
The user name embedded in an Authorization header could be a vector as well, but the corresponding REMOTE_USER variable is only set if the user name corresponds to a known account according to the authentication configuration, and a configuration which accepts the magic string appears somewhat unlikely.
In addition, with other CGI implementations, the request method (“GET”), path (“/path”) and query string (“query-param-name=query-param-value”) may be vectors, and it is conceivable for “query-param-value” as well, and perhaps even “query-param-name”.
The other vector is OpenSSH, either through AcceptEnv variables, TERM or SSH_ORIGINAL_COMMAND.Other vectors involving different environment variable set by additional programs are expected.