John Powell
Reputation: 12581
Shellshock vulnerability, CVE-2014-7169
This ycombinator thread states that
env X='() { (a)=>\' sh -c "echo date"
allows you to drop the first token, and then run the result, sending the output to the dropped token. I can see that the magic is in the () { (a)=>\' part, but this is quite a hard thing to search for, so it would be great if someone could explain the inner workings.
In the linked possible duplicate question, a variable is exported to an environment variable by using,
env X="() { :;} ;
which really is not the same as
env X='{ (a)=>\'
which is the part I am trying to understand the workings off. So, what do the (a) and =>\' parts do? Clearly, it is doing something very similar, but is different in that it got around the first patch to this vulnerability, see comments by chepner.
Upvotes: 18
Views: 850
Answers (0)
Related Questions
- Can not exploit shellshock vulnerability for all files
- Is the behavior behind the Shellshock vulnerability in Bash documented or at all intentional?
- Shellshock Bash bug preload workaround
- bash shellshock jurat Perl script
- How does CVE-2014-7169 work? Breakdown of the test code
- Root Cause of Shellshock Bash bug
- Does bash exploit (CVE-2014-6271) require terminal access to utilize?
- The bash vulnerability CVE-2014-6271 . Can it affect my CGI perl scripts? How to understand this?