Understanding Bash Bug or Shellshock vulnerability with examples.


As you all know that Remote Code Execution vulnerability has been identified in Bourne Again Shell as known as BASH which is command line shell in Linux and Unix. This vulnerability affects version 1.14.0 to 4.3, also known as Bash Bug or Shellshock.

CVE is available here for this vulnerability CVE-2014-6271.

So far many websites have released the news about this vulnerability, however I though to post on our blog for all our readers. According to CVE this vulnerability allows remote attackers to execute arbitrary code via a crafted environment.

Below I have tried to explain that how Bash Bug vulnerability works. Bash allows user to type commands and then execute them in the terminal in Linux and Unix based systems.

In Bash the user can set "environment variables" and then can retrieve them later when needed. Below is the example of environment variables.


In above example I have set one environment variable which is NAME, later I have used that variable to echo its value in one of sentence. Environment variables are very useful as shown above. This is how environment variables works.

Below is the little bit variation as compared to our first example.


The "env" command in above example sets environment variable NAME=Girishkumar and it executes the command based on the environment.

Like other programming languages Bash has functions but limited implementation, hence it is possible to put Bash functions into environment variables. Let us use the function with env command.

Below is the example.


In above example we have used function with "env" command and then we have executed it and got the output. Here  -c option executes the commands from a string ie. everything inside the quotes.

So how Bash bug or Shellshock works ?


When we add the extra code to the end of the function definitions the flaw is triggered.  Below image gives good understanding of Bash Bug.


 
Above image credit: Symantec.com

Below is the vulnerable code example.



In above example the command "echo test" doesn't use the $XY variable. So if the bash correctly works then the command "echo vulnerable" should be ignored and should not be executed. The output "vulnerable" should not be displayed. But "echo vulnerable" executed and gave the output.

Here malicious input in XY='() { :;}; echo vulnerable' is the reason of this vulnerability. Here the environment variables treats it as a command and executes it rather than treating it as a string of letters and and ignoring it.

How to test whether your system is vulnerable to Bash Bug / Shellshock or not ???

Run below command in Bash terminal

env XY='() { :;}; echo vulnerable' bash -c 'echo test' 

If you are vulnerable the it will give the world "vulnerable" in the output as shown below.


If you are not vulnerable the it will give the output as below. It will echo only "test" but not "vulnerable".


So better to update your bash version as soon as possible as the different vendors have released the patch for this vulnerability..

Powered by Blogger.