Bash shell

Bourne Again Shell (BASH) is widely used and default command interpreter for many Linux flavors, is prone to a command execution vulnerability as discovered by Stephane Chazelas of Akamai.

The vulnerability is due to the way bash processes specially crafted environment variables i.e trailing code in function definitions was executed, independent of the variable name, which allows attackers to execute arbitrary commands.

Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. If we can control the environment variable (which will be processed by bash) then we can run any arbitrary commands.

Bash is used in various remote application to execute commands. Due to this nature the vulnerability is rated as critical. Hence users and administrators need to take required actions as soon as possible.


Simple test to check your Bourne Again Shell (BASH) is vulnerable.

Vulnerable BASH CVE-2014-6271


After applying the patch for CVE-2014-6271, same test will return following message.

Non Vulnerable BASH CVE-2014-6271


In many other common configurations this vulnerability is exploitable remotely. Most commonly Apache server is used to execute CGI applications through mod_cgi or mod_cgid. Crafted request to these CGI applications when default shell is bash allows to execute commands on the server remotely. Similar attacks are also possible via SSH but authentication is required to trigger this vulnerability.

How Apache with CGI applications are affected?

CGI applications will parse HTTP headers and stores many parameters (User-Agents, Referer, Cookie, Host etc) in the process environment before executing the application. These HTTP headers can be controlled by the attackers. Hence attackers take advantages of this vulnerability to execute desired commands on the server.

When attackers send crafted HTTP header, CGI application stores those headers in the process environment before executing and if the default shell is bash, it will parse the environment variables and executes commands specified after the function.

Bash is suppose to stop parsing after the function but due to a bug in the bash interpreter it will keep on parsing outside the function and executes command which is outside the function.

Crafted User-Agent header looks like

‘User-Agent: () { :;};’ CMD_TO_BE_EXECUTED
‘() { :;};’ – function with syntactically correct with an empty body.

Available patch for CVE-2014-6271 is incomplete but still users and administrators need to deploy the patch which contains fix for CVE-2014-6271 and patched bash versions are more complicated to exploit. 

– Veerendra GG

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>