This patch shows a very simple way to find post-Shellshock bugs in bash, as
discussed here:
http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
In essence, it shows a way to fuzz environmental variables. Instructions:
1) Download bash 4.3, apply this patch, compile with:
CC=/path/to/afl-gcc ./configure
make clean all
Note that the harness puts the fuzzed output in $TEST_VARIABLE. With
Florian's Shellshock patch (bash43-028), this is no longer passed down
to the parser.
2) Create and cd to an empty directory, put the compiled bash binary in
there, and run these commands:
mkdir in_dir
echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt
3) Run the fuzzer with:
/path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c :
The -d parameter is advisable only if the tested shell is fairly slow
or if you are in a hurry; will cover more ground faster, but
less systematically.
4) Watch for crashes in out_dir/crashes/. Also watch for any new files
created in cwd if you're interested in non-crash RCEs (files will be
created whenever the shell executes "foo>bar" or something like
that). You can correlate their creation date with new entries in
out_dir/queue/.
You can also modify the bash binary to directly check for more subtle
fault conditions, or use the synthesized entries in out_dir/queue/
as a seed for other, possibly slower or more involved testing regimes.
Expect several hours to get decent coverage.
--- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100
+++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200
@@ -371,6 +371,14 @@
env = environ;
#endif /* __OPENNT */
+ {
+
+ static char val[1024 * 16];
+ read(0, val, sizeof(val) - 1);
+ setenv("TEST_VARIABLE", val, 1);
+
+ }
+
USE_VAR(argc);
USE_VAR(argv);
USE_VAR(env);
Codebase Browser
chromium