BASH vulnerability of the early mining-vulnerability warning-the black bar safety net

ID MYHACK58:62201454042
Type myhack58
Reporter 佚名
Modified 2014-09-25T00:00:00


Most recently, the BASH broke to a remote code execution vulnerabilityCVE-2 0 1 4-6 2 7 1 to.

BASH in addition to can be shell variables exported as environment variables, you can also shell functions are exported as environment variables! The current version of the bash through to the function name as the environment variable name to the“(){”at the beginning of the string as the value of environment variables to the function definition are exported as environment variables.

The burst of vulnerability that BASH deal with such a“function environment variables”, and not to the end of function“}”to the end, but always performs the subsequent shell commands! For example


Currently, accept HTTP commands CGI Shell script is the Main to be the object of attack. A common HTTP request is like this:

GET /path? query-param-name=query-param-value HTTP/1.1 Host: Custom: custom-header-value

The CGI standard http request, all parts are mapped to environment variables. For example, for Apache Httpd, the string(){can appear in the following places:

  • Host (“”, as REMOTE_HOST)
  • Header value (“custom-header-value”, as HTTP_CUSTOM in this example)
  • Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)

[1] [2] next