The 'ShellShock Bug' (patched 2014)... 'Inherited functions' are subverted so as to always execute, immeditally on shell start up, BEFORE a shell script has a chance to sanitize its environment. Basically by have it execute code that appears after the 'inherited function' env x='() { echo :; }; echo cracker code' bash -c 'echo sub-shell' Outputs... cracker code sub-shell That is the crackers code ran BEFORE the shell script! Also ANY environment variable can be used for this! As such ANY environment variable can contain code that can be used to attack a vunerable BASH sub-shell call. For example OpenSSH... The TERM environment variable Apache CGI scripts A typical HTTP request looks like this: GET /path?query-param-name=query-param-value HTTP/1.1 Host: www.example.com Custom: custom-header-value The CGI specification maps all parts to environment variables. With Apache httpd, the magic string “() {” can appear in these places: * Host (“www.example.com”, as REMOTE_HOST) * Header value (“custom-header-value”, as HTTP_CUSTOM in this example) * Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL) The 'ShellShock' BASH patch fix the bug by having 'inhertied functions' stop interpretation at the end of the function definition ( the closing '}' ). However a second patch added a prefix to the variables that are used for BASH inherited functions, so only specific variables can be used to define function in a sub-shell, and not just ANY variable. Exported functions now have the form... 'BASH_FUNC_name()'='() { ......; }' For example... env 'BASH_FUNC_foo()=() { echo foobar; }' bash -c foo foobar env - 'BASH_FUNC_foo()=() { echo foobar; }' bash -c "declare -x -F" declare -fx foo Functions 'exported from bash does not need to be modified, they automatically generate the environment vaiables of this type to run as functions of the same name in the sub-shell. The third patch fixed the identifier syntax used, so functions must have a valid function identifier. A function using a 'path' cannot be used. env - 'BASH_FUNC_2func()=() { echo foobar; }' bash -c "echo running" bash: error importing function definition for `BASH_FUNC_2func' running env - 'BASH_FUNC_func-2()=() { echo foobar; }' bash -c "echo running" bash: error importing function definition for `BASH_FUNC_func-2' running # valid function identifier env - 'BASH_FUNC__fF2()=() { echo foobar; }' bash -c "declare -x -F" declare -fx _fF2 --- A More extreme test that broke the first round of patches... env X='() { _; } >_[$($())] { echo hi mom; id; }' bash -c : From http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html -------------------------------------------------------------------------------