(Update 2014-09-27: corrected Data Protection Act to Computer Misuse Act)
I have been playing around with the world famous shell shock vulnerability, CVE-2014-6271, like many others I am sure. Many have provided some very interesting uses of it, the best one on Twitter was that of instructing the system to update. I would imagine that would still constitute a breach of the Computer Misuse Act since the machine is being altered without the users permission.

The reason for this post is to present some interesting behaviour I noticed when playing around with dash, bash, env and export.

I want to have a way to login to a machine and make sure I could safely check on things. One of the temporary solutions was to remove bash and link in dash. dash does not run the loaded script. Once on the machine you could carry on using dash or attempt loading bash if you feel lucky, if there is a stored version that is.

I therefore looked to see where the function was loaded and noticed some interesting behaviour between dash and bash. So on to the test.

Test Case 1:

Test machine, Ubuntu 10.04,

(I have removed .bashrc to limit the amount in the export list)

We start off by loading up dash, instead of bash.

Fig. 1 – show export via export command, in dash

As seen in fig.1 the clean export list is shown, via the export command, in dash. We then load in the shellshock command at the command prompt within dash, i.e., export evil= '() { :;}; echo shell bashed;' . Fig.2. shows the command loaded up in export.

Fig. 2 – loading shell bashed

Fig. 3 – trying dash and then bash

We then run dash again to show that the command does not run, and then bash to show that it does work.

Fig. 4 – Showing export in bash

From an investigative stance what is interesting is the fact that while in bash, if we run export the evil variable is not shown even though it is executed. Instead it is found in the env list, i.e., run env at command prompt, and it is not the complete command, Fig.5.

Fig. 5 – env listing showing loaded evil variable in bash