#0) Bash Bug:
"GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution." (source #5)
"Bash supports exporting not just shell variables, but also shell
functions to other bash instances, via the process environment to
(indirect) child processes. Current bash versions use an environment
variable named by the function name, and a function definition
starting with “() {” in the variable value to propagate function
definitions through the environment. The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
definition. For example, an environment variable setting of
VAR=() { ignored; }; /bin/id
will execute /bin/id when the environment is imported into the bash
process. (The process is in a slightly undefined state at this point.
The PATH variable may not have been set up yet, and bash could crash
after executing /bin/id, but the damage has already happened at this
point.)
The fact that an environment variable with an arbitrary name can be
used as a carrier for a malicious function definition containing
trailing commands makes this vulnerability particularly severe; it
enables network-based exploitation. (...)" (source: #1)
#1) Original Public disclosure: http://seclists.org/oss-sec/2014/q3/649 (source of the quote above)
#2) Severity: "Urgent": https://bugzilla.redhat.com/show_bug.cgi?id=1141597
#3) IDS Rules: http://www.volexity.com/blog/?p=19
#4) Metasploit Module: https://github.com/rapid7/metasploit-framework/commit/ff5398bf3f46c057666f7a3d0afaf4c0d6912575
#5) National Vulnerability Database entry:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Original release date: 09/24/2014
Last revised: 09/24/2014
Source: US-CERT/NIST
Overview
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Impact
CVSS Severity (version 2.0):
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service