kennethk's analysis is entirely correct.
First problem: HOW does the client set "the environmental variable BAD_VAR"
Firstly, one of the key factors in exploiting shellshock is that it's not just a single environment variable that is vulnerable. Any environment variable will do. So it doesn't need to be called "BAD_VAR". It could be called, say, HTTP_BAD_BAR.
Make a request to a CGI script like this:
GET /test.cgi HTTP/1.1 Host: example.com Bad-Var: foo
You'll see that the environment contains a variable called HTTP_BAD_VAR.
Somehow, that value has to get passed in to the script... not just to the params packaged up by CGI, but from the params to the script.
No. Forget the script. The script doesn't do anything insecure. Let's imagine a simple script that doesn't even look at environment variables:
#!/usr/bin/perl print "Content-Type: text/plain\n\n"; print "Here's the entire book...\n\n"; system("cat chapter-*.txt");
Yes $ENV{HTTP_BAD_VAR} is tainted, but the script doesn't actually touch that hash value, so no error is raised about it.
The one-argument form of system(), if it contains shell characters (in this case, the asterisk) doesn't spawn the given command directly, but runs it via the system shell (which will usually be bash).
So bash gets spawned. Bash inherits all of %ENV because child processes inherit their parent's environment. Thus bash gets the HTTP_BAD_VAR verbatim from the HTTP request header.
And bash will eval any environment variable that starts with () {.
In reply to Re^6: Taint and Shellshock
by tobyink
in thread Taint and Shellshock
by kennethk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |