1*08b48e0bSAndroid Build Coastguard WorkerThis patch shows a very simple way to find post-Shellshock bugs in bash, as 2*08b48e0bSAndroid Build Coastguard Workerdiscussed here: 3*08b48e0bSAndroid Build Coastguard Worker 4*08b48e0bSAndroid Build Coastguard Worker http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html 5*08b48e0bSAndroid Build Coastguard Worker 6*08b48e0bSAndroid Build Coastguard WorkerIn essence, it shows a way to fuzz environmental variables. Instructions: 7*08b48e0bSAndroid Build Coastguard Worker 8*08b48e0bSAndroid Build Coastguard Worker1) Download bash 4.3, apply this patch, compile with: 9*08b48e0bSAndroid Build Coastguard Worker 10*08b48e0bSAndroid Build Coastguard Worker CC=/path/to/afl-gcc ./configure 11*08b48e0bSAndroid Build Coastguard Worker make clean all 12*08b48e0bSAndroid Build Coastguard Worker 13*08b48e0bSAndroid Build Coastguard Worker Note that the harness puts the fuzzed output in $TEST_VARIABLE. With 14*08b48e0bSAndroid Build Coastguard Worker Florian's Shellshock patch (bash43-028), this is no longer passed down 15*08b48e0bSAndroid Build Coastguard Worker to the parser. 16*08b48e0bSAndroid Build Coastguard Worker 17*08b48e0bSAndroid Build Coastguard Worker2) Create and cd to an empty directory, put the compiled bash binary in 18*08b48e0bSAndroid Build Coastguard Worker there, and run these commands: 19*08b48e0bSAndroid Build Coastguard Worker 20*08b48e0bSAndroid Build Coastguard Worker mkdir in_dir 21*08b48e0bSAndroid Build Coastguard Worker echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt 22*08b48e0bSAndroid Build Coastguard Worker 23*08b48e0bSAndroid Build Coastguard Worker3) Run the fuzzer with: 24*08b48e0bSAndroid Build Coastguard Worker 25*08b48e0bSAndroid Build Coastguard Worker /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c : 26*08b48e0bSAndroid Build Coastguard Worker 27*08b48e0bSAndroid Build Coastguard Worker The -d parameter is advisable only if the tested shell is fairly slow 28*08b48e0bSAndroid Build Coastguard Worker or if you are in a hurry; will cover more ground faster, but 29*08b48e0bSAndroid Build Coastguard Worker less systematically. 30*08b48e0bSAndroid Build Coastguard Worker 31*08b48e0bSAndroid Build Coastguard Worker4) Watch for crashes in out_dir/crashes/. Also watch for any new files 32*08b48e0bSAndroid Build Coastguard Worker created in cwd if you're interested in non-crash RCEs (files will be 33*08b48e0bSAndroid Build Coastguard Worker created whenever the shell executes "foo>bar" or something like 34*08b48e0bSAndroid Build Coastguard Worker that). You can correlate their creation date with new entries in 35*08b48e0bSAndroid Build Coastguard Worker out_dir/queue/. 36*08b48e0bSAndroid Build Coastguard Worker 37*08b48e0bSAndroid Build Coastguard Worker You can also modify the bash binary to directly check for more subtle 38*08b48e0bSAndroid Build Coastguard Worker fault conditions, or use the synthesized entries in out_dir/queue/ 39*08b48e0bSAndroid Build Coastguard Worker as a seed for other, possibly slower or more involved testing regimes. 40*08b48e0bSAndroid Build Coastguard Worker 41*08b48e0bSAndroid Build Coastguard Worker Expect several hours to get decent coverage. 42*08b48e0bSAndroid Build Coastguard Worker 43*08b48e0bSAndroid Build Coastguard Worker--- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100 44*08b48e0bSAndroid Build Coastguard Worker+++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200 45*08b48e0bSAndroid Build Coastguard Worker@@ -371,6 +371,14 @@ 46*08b48e0bSAndroid Build Coastguard Worker env = environ; 47*08b48e0bSAndroid Build Coastguard Worker #endif /* __OPENNT */ 48*08b48e0bSAndroid Build Coastguard Worker 49*08b48e0bSAndroid Build Coastguard Worker+ { 50*08b48e0bSAndroid Build Coastguard Worker+ 51*08b48e0bSAndroid Build Coastguard Worker+ static char val[1024 * 16]; 52*08b48e0bSAndroid Build Coastguard Worker+ read(0, val, sizeof(val) - 1); 53*08b48e0bSAndroid Build Coastguard Worker+ setenv("TEST_VARIABLE", val, 1); 54*08b48e0bSAndroid Build Coastguard Worker+ 55*08b48e0bSAndroid Build Coastguard Worker+ } 56*08b48e0bSAndroid Build Coastguard Worker+ 57*08b48e0bSAndroid Build Coastguard Worker USE_VAR(argc); 58*08b48e0bSAndroid Build Coastguard Worker USE_VAR(argv); 59*08b48e0bSAndroid Build Coastguard Worker USE_VAR(env); 60