Remote code execution through bash CVE-2014-6271

A new vulnerability has been discovered in bash, related to how environment variables are processed. You can read more on redhat security blog. This vulnerability can be used to execute remote code, even via ssh, if the remote shell is bash.

In ssh, you can use the ForceCommand in sshd_config, or the “command’ option in .ssh/authorized_keys. This option ‘Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored.’ (man sshd).
So you can use it for example to auto launch a backup script when the user connect, and nothing more.

For example in test/.ssh/authorized_keys,

command="/usr/local/bin/backup.sh" ssh-rsa [...thepublickey...]

Now, a “ssh test@myserver.com” will automatically launch this script, and that’s all.

With CVE-2014-6271, the flaw is triggered when extra code is added to the end of these function definitions (inside the environment variable).

$ ssh test@myserver.com '() { ignored; }; /bin/date'
Wed Sep 24 18:32:41 CEST 2014

So, instead of execute your backup script, your custom command is launched !
From there; everything is possible…
So especially update your bash package if you have this kind of configuration !

Note: of course, in this case, the remote attacker need a valid account on the machine. But if you use command/ForceCommand to provide git-shell access for example, this can be a real problem !

Sources :

http://seclists.org/oss-sec/2014/q3/649
http://bugzilla.novell.com/show_bug.cgi?id=896776
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html