A new and critical vulnerability called “shellshock” has been announced. The vulnerability is in the ‘bash’ shell application and can be remotely exploitable. There is a high chance that an Internet worm will be written to use this hole to attack systems over the Internet. A patch is available for this issue for most operating systems.
The vulnerability can be exploited over ssh, and over HTTP/HTTPS via CGI scripts.
Our team is still researching the vulnerability in order to design a test that is both reliable and non-destructive; however, due to the sensitive nature of executing commands on a live system remotely this may be difficult.
In the meantime, we recommend doing a simple check to see if the server is vulnerable. To test if your version of Bash is vulnerable to this issue, run the following command:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the output of the above command looks as follows:
--
vulnerable
this is a test
--
Then you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
--
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
--
More information about this bug is available here:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
