Can someone explain this exploit in terms understandable to a non Linux user? From what I can gather, you can set functions as Bash environment variables, and these are then executed whenever Bash is loaded?
You can define functions in bash
with the following syntax
hello () { echo "Hello, world"; }
You can export these functions so they are available to a child bash process by calling export -f hello
. When you do this, Bash sets the environment variable hello
to the value () { echo "Hello, world"; }
and exports it.
When the child Bash process is started, it scans its environment variables. It finds the environment variable hello=() { echo "Hello, world"; }
which was exported by its parent. Since the value starts with ()
, it concatenates the variable name with its value and executes it.
So in that case, it will execute
hello () { echo "Hello, world"; }
and the function will be correctly redefined.
The problem is that it blindly trusts the environment variables to have the correct syntax. If it finds an environment variable hello=() { echo "Hello, world"; }; malicious_command
, it will execute
hello () { echo "Hello, world"; }; malicious_command
resulting in the immediate execution of malicious_command
as soon as Bash starts.
This is a serious problem for two reasons:
- Environment variables are inherited recursively by child processes
- The
/bin/sh
shell, which is oftenbash
, is used by most shell scripts; starting a shell script with a malicious environment variable is then sufficient to trigger the attack./bin/sh
is also used when a program wants to execute a shell command (see system(3)), so programs running shell commands are also vulnerable.
Besides CGI scripts, there may be ways to do a privilege escalation on a vulnerable system if a privileged program ends up running shell commands, or shell scripts.