Bash uses special environment variables for code injection attacks

Source: Internet
Author: User

Bash uses special environment variables for code injection attacks

Bash or Bourne again shell is a UNIX-like shell script, which may be the most common installation component in any Linux system. Since its birth in 1980, bash has evolved from a simple terminal-based command interpreter to many other exotic uses.

In Linux, environment variables affect system software. They are composed of a name and a value assignment to the name. The same is true for bash shell. It is common to run bash shell in the background of a program. It is usually used to provide a shell (such as via ssh or telnet) to remote users, provide a parser (such as Apache) for CGI scripts, and even provide limited command execution support (such as git ).

Back to the topic, you can use special processed values to create environment variables before calling bash shell. This fact exposes the system's vulnerabilities. These variables can contain Code and are executed with shell calls. These processed variable names are nothing, mainly their contents. Vulnerabilities are exposed in the following contexts:

  • ForceCommand is the environment variable used in sshd. It provides limited command execution permissions to remote users. This vulnerability can be bypassed and arbitrary command execution permissions are provided. Some Git and Subversion deployment use such shell. The conventional use of OpenSSH is not affected because the user has already entered the shell.

  • If the CGI script uses bash or generates a large number of sub-shells, the Apache server using mod_cgi or mod_cgid will be affected. These sub-shells may be used by C system/popen, and may be used by Python OS. system/OS. popen usage may be used by PHP system/exec running in CGI Mode, and may be used by open/system in Perl using shell.

  • The PHP script for executing mod_php will not be affected even if a large number of sub-shells are generated.

  • The DHCP client calls a shell script to configure the system and uses values from potential malicious servers. This allows any command to run, especially as the root of the DHCP client.

  • Various daemon and SUID/privileged programs may execute shell scripts using environment variables set by users and affected by users, allowing arbitrary commands to run.

  • Any other application that may be vulnerable to shell, or the application that runs shell scripts to use bash as the interpreter. Shell scripts that do not introduce environment variables are safe, even if they process insecure content, store it in (not introduced) shell variables, and open the sub-shell.

Like programming languages, Bash also has functions. Despite its limited implementation, these bash functions may be put into environment variables. This vulnerability is triggered when additional code is appended to the end of the Function Definition in these environment variables. Like this:

$ Env x = '() {:;}; echo vulnerable 'bash-c "echo this is a test"
This is a test

The patch fixes this vulnerability and ensures that no additional code is allowed at the end of the bash function. Therefore, if you use the bash version that has been patched to run the above example, you should get an output similar to this:

$ Env x = '() {:;}; echo vulnerable 'bash-c "echo this is a test"
Bash: warning: x: ignoring function definition attempt
Bash: error importing function definition for 'X'
This is a test

We believe this should not affect any backward compatibility. Of course, it will affect any script that uses the environment variables created above, but this will be considered a bad programming practice.

Red Hat's Security Issue Report fixes the problem in Red Hat Enterprise Linux. The problem fix package is also shipped to Fedora.

Gitlab-shell is affected by Bash CVE-2014-6271 Vulnerability

Linux security vulnerability exposure Bash is more serious than heartbleed

The solution is to upgrade Bash. Please refer to this article.

For more information about the affected Red Hat products, visit

CentOS information can be found at

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.