As you all know that Remote Code Execution vulnerability has been identified in Bourne Again Shell as known as BASH which is command line shell in Linux and Unix. This vulnerability affects version 1.14.0 to 4.3, also known as Bash Bug or Shellshock.

CVE is available here for this vulnerability CVE-2014-6271

So far many websites have released the news about this vulnerability, however I though to post on our blog for all our readers. According to CVE this vulnerability allows remote attackers to execute arbitrary code via a crafted environment.

Below I have tried to explain that how Bash Bug vulnerability works. Bash allows user to type commands and then execute them in the terminal in Linux and Unix based systems.

In Bash the user can set "environment variables" and then can retrieve them later when needed. Below is the example of environment variables.

In above example I have set one environment variable which is NAME, later I have used that variable to echo its value in one of sentence. Environment variables are very useful as shown above. This is how environment variables works.

Below is the little bit variation as compared to our first example.

The "env" command in above example sets environment variable NAME=Girishkumar and it executes the command based on the environment.

Like other programming languages Bash has functions but limited implementation, hence it is possible to put Bash functions into environment variables. Let us use the function with env command.

Below is the example.

In above example we have used function with "env" command and then we have executed it and got the output. Here  -c option executes the commands from a string ie. everything inside the quotes.

So how Bash bug or Shellshock works ?

When we add the extra code to the end of the function definitions the flaw is triggered.  Below image gives good understanding of Bash Bug.

Above image credit: Symantec.com

Below is the vulnerable code example.

In above example the command "echo test" doesn't use the $XY variable. So if the bash correctly works then the command "echo vulnerable" should be ignored and should not be executed. The output "vulnerable" should not be displayed. But "echo vulnerable" executed and gave the output.

Here malicious input in XY='() { :;}; echo vulnerable' is the reason of this vulnerability. Here the environment variables treats it as a command and executes it rather than treating it as a string of letters and and ignoring it.

How to test whether your system is vulnerable to Bash Bug / Shellshock or not ???

Run below command in Bash terminal

env XY='() { :;}; echo vulnerable' bash -c 'echo test' 

If you are vulnerable the it will give the world "vulnerable" in the output as shown below.

If you are not vulnerable the it will give the output as below. It will echo only "test" but not "vulnerable".

So better to update your bash version as soon as possible as the different vendors have released the patch for this vulnerability..

This is the most recent post.
Older Post

Post a Comment

  1. UFC 210 happens at KeyBank Center in Buffalo, N.Y. Gillespie versus Holbrook is the highlighted UFC Fight Pass preparatory card session before the. Story picture for UFC 210 from Bloody Elbow. On the off chance that I Did It: Snoop Dogg building up UFC 210, Kelvin Gastelum's. Welcome to If I Did It the show where we handle PR kerfluffles from the universe of MMA and past. This week we take a gander at the UFC's Snoop Dogg. Kelvin Gastelum Flagged, Removed From UFC 210 Vs. Anderson.
    UFC 210
    UFC 210 Live , UFC 210 Fight Card , UFC 210 Fight , UFC 210 Card , UFC 210 Live Stream , UFC 210 PPV

    Forecasts for each battle on the UFC 210: Cormier versus Johnson 2. The UFC comes back to Buffalo this end of the week with a light heavyweight title battle and a large group of other energizing sessions to round out the card. We should a gander at. UFC 210: Cormier versus Johnson 2 Odds, Tickets, Predictions and Pre. UFC 210: Daniel Cormier and Anthony Johnson open exercises. UFC 210 battle card: Fan animosity toward Daniel Cormier parallels.
    UFC 210
    UFC 210 Live , UFC 210 Fight Card , UFC 210 Fight , UFC 210 Card , UFC 210 Live Stream , UFC 210 PPV

  2. Ward vs Kovalev 2 was a highly anticipated professional boxing superfight for the unified WBA, IBF, and WBO light heavyweight titles. Andre Ward vs Sergey Kovalev bout was held on November 19, 2016, at the T-Mobile Arena in Las Vegas, Nevada. The event was televised on HBO Pay-per-view. Ward won the fight by unanimous decision to take the titles.

    Ward vs Kovalev record: Kovalev (30-1-1, 26 KOs) looks to get revenge against Ward (31-0, 15 KOs) in a light heavyweight title contest.

    So, Don't miss Watch Their last Ward vs Kovalev fight was also in Las Vegas, but at the T-Mobile Center.

  3. The two famous boxers Floyd Mayweather and McGregor have given their consent to play a friendly boxing match on 26 in Las Vegas. The fight is considered to become the highest grossing event the history of any sports.
    Mayweather vs McGregor
    McGregor vs Mayweather
    Mayweather vs McGregor Live
    McGregor vs Mayweather Live
    Watch Mayweather vs McGregor
    McGregor vs Mayweather Live Stream
    Mayweather vs McGregor Live Stream
    Mayweather vs McGregor PPV
    Mayweather vs McGregor Fight

  4. Use this article to increase your knowledge . cara menggugurkan kandungan

  5. I like the post format as you create user engagement in the complete article. It seems round up of all published posts. Thanks for gauging the informative posts.
    cara menggugurkan hamil
    cara untuk menggugurkan bayi

  6. itube pro apk download is really helpfull app if you are looking ahead to download youtube videos for free.Have a great day aheada

  7. Groundhog day 2018 video / Video of Grounddhog day 2018 is something that every person in usa will love to watch . we have the best services groundhog day through which you can watch Groundhog day 2018 live stream