Apparently, the shellshock Bash exploit CVE-2014-6271 can be exploited over the network via SSH. I can imagine how the exploit would work via Apache/CGI, but I cannot imagine how that would work over SSH?
Can somebody please provide an example how SSH would be exploited, and what harm could be done to the system?
CLARIFICATION
AFAIU, only an authenticated user can exploit this vulnerability via SSH. What use is this exploit for somebody, who has legitimate access to the system anyway? I mean, this exploit does not have privilege escalation (he cannot become root), so he can do no more than he could have done after simply logging in legitimately via SSH.
Best Answer
One example where this can be exploited is on servers with an
authorized_keys
forced command. When adding an entry to~/.ssh/authorized_keys
, you can prefix the line withcommand="foo"
to forcefoo
to be run any time that ssh public key is used. With this exploit, if the target user's shell is set tobash
, they can take advantage of the exploit to run things other than the command that they are forced to.This would probably make more sense in example, so here is an example:
Here we set up a user
testuser
, that forces any ssh connections using your ssh key to runecho starting sleep; sleep 1
.We can test this with:
Notice how our
echo something else
doesn't get run, but thestarting sleep
shows that the forced command did run.Now lets show how this exploit can be used:
This works because
sshd
sets theSSH_ORIGINAL_COMMAND
environment variable to the command passed. So even thoughsshd
ransleep
, and not the command I told it to, because of the exploit, my code still gets run.