Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278)

[Michal Zalewski <lcamtuf () coredump cx>]

> According to shellshock  test (https://shellshocker.net/shellshock_test.sh)

That script is a weird mixture of tests that implicitly pay no
attention to Florian's patch, and therefore do not really demonstrate
any security risk:

CVE20147186=$((bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo
"vulnerable") | grep 'vulnerable' | wc -l)

...ones that explicitly try to circumvent it in a way that makes them
uninteresting from the security perspective:

CVE20146271=$(env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() {
:;}; echo vulnerable' bash -c "echo test" 2>&1 | grep 'vulnerable' |
wc -l)

...and ones that will fail with Florian's patch:

CVE20147169=$((cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c
"echo echo nonvuln" 2>/dev/null; [[ "$(cat echo 2> /dev/null)" ==
"nonvuln" ]] && echo "vulnerable" 2> /dev/null) | grep 'vulnerable' |
wc -l)

There are also some weird / duplicat entries and general confusion
about which CVE stands for what, e.g.:

CVE2014=$(env X=' () { }; echo hello' bash -c 'date' | grep 'hello' | wc -l)
echo -n "CVE-2014-//// (exploit 3 on http://shellshocker.net/): "

Really, just install the patch. The reasons for this, and a good test
case to check if you're covered, are discussed here:

http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html

If you want to learn a bit more about what these test cases are doing
and why it matters, I have an earlier post here:

http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

...and last but not least, the details for the last two bugs are here:

http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

/mz