mjhjmtu

Given a script that allows anyone to provide input. Is there any input that can break out of a variable. For example given the following script:

echo $1

Would there be anyway to make $1 something like:

text && rm -rf /

I'm trying to do something like the above and it doesn't work.

Can anyone confirm that the above would be impossible?

In 2014, there was a exploit in the wild for a Bash vulnerability nicknamed Shellshock. Like most vulnerabilities in common software, a Common Vulnerabilities and Exposures (CVE) Bulletin was released, CVE-2014-6278. Shellshock is a remote exploit for Bash which allowed arbitrary code execution on the remote host via several attack vectors in common server software stacks including Apache's cgi modules as well as OpenSSH.

The vulnerability affects all versions of Bash from 1989 until 2014 when it was patched once easily created exploits were widely demonstrated.

For further reading:

OWASP Shellshock Presentation, PDF

NIST CVE-2014-6278

ServerFault Shellshock Question, 2014

I believe most versions available in Distro Repos have been patched.

Correction: Shellshock is a family of vulnerabilities... CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

And, it's good to remember that these can easily affect a LAN if there exists port forwarding for things like Apache web servers or SSH... as well as any unpatched (and probably unpatchable) Internet of Things devices.

Command separators are processed before expansions, therefore there is no way that n, ;, &, &&, or || in a variable will ever have an effect unless the variable contents are evaled.

It seems like globbing is a vulnerability:

$ echo 'echo $1' > injection.sh
$ bash injection.sh '/*'
/bin /boot /dev /etc /home /lib /lib64 /media /mnt /opt /proc /root /run /sbin /srv /sys /tmp /usr /var

This is why you always quote vars:

$ echo 'echo "$1"' > injection.sh
$ bash injection.sh '/*'
/*