Report

CVE-2014-7169 Bash Shellshock Secondary Injection via Function Definition Names

a419b0dd-8d4a-4db5-b14f-9b73d4346b5d

CVE-2014-7169 is a secondary command injection vulnerability in bash versions 4.3 and earlier that bypasses the original Shellshock (CVE-2014-6271) fix. The vulnerability exists in the function definition import logic. When bash processes exported functions from environment variables, it checks if the variable value starts with '() {' to identify function definitions. However, in non-POSIX mode (the default), the code fails to validate that the variable name itself is a legal identifier before constructing and executing a command string that concatenates the name with the function body. This allows attackers to inject shell metacharacters (backticks, command substitution, etc.) in the variable name, which are then evaluated as shell code during bash initialization.", Located the vulnerability by examining the initialize_shell_variables function in variables.c. The function iterates through environment variables at line 329. At line 352, it checks if the variable value starts with '() {' to identify function definitions. Lines 354-359 construct a temporary string: 'name () { function_body }'. The critical vulnerability is at line 361 in the condition: 'if (posixly_correct == 0 || legal_identifier (name))' - when posixly_correct is 0 (non-POSIX mode, the default), the name is never validated. The legal_identifier check is bypassed. At line 362, parse_and_execute is called with the constructed string, which then interprets shell metacharacters in the name as executable code. Cross-referenced with exploit files cve_2014_7169_exploit.c and exploit_cve_2014_7169.c that demonstrate the attack pattern using backticks in variable names.", The fix is to require that variable names be legal identifiers regardless of POSIX mode. Change line 361-362 from: 'if (posixly_correct == 0 || legal_identifier (name)) parse_and_execute (...)' to: 'if (legal_identifier (name)) parse_and_execute (...)'. The legal_identifier() function (defined in general.c) validates that a name contains only safe characters (alphanumeric and underscore). By removing the posixly_correct condition, all function definitions must have valid identifier names before being parsed and executed, preventing injection of shell metacharacters in variable names.", The vulnerability can be verified by setting an environment variable with backticks in the name: 'touch /tmp/pwned=() { echo test; }' and running bash. Without the fix, the backticks are executed. With the fix, they are rejected because the name fails legal_identifier() validation and parse_and_execute is not called.", command-injection