1This patch shows a very simple way to find post-Shellshock bugs in bash, as 2discussed here: 3 4 http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html 5 6In essence, it shows a way to fuzz environmental variables. Instructions: 7 81) Download bash 4.3, apply this patch, compile with: 9 10 CC=/path/to/afl-gcc ./configure 11 make clean all 12 13 Note that the harness puts the fuzzed output in $TEST_VARIABLE. With 14 Florian's Shellshock patch (bash43-028), this is no longer passed down 15 to the parser. 16 172) Create and cd to an empty directory, put the compiled bash binary in 18 there, and run these commands: 19 20 mkdir in_dir 21 echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt 22 233) Run the fuzzer with: 24 25 /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c : 26 27 The -d parameter is advisable only if the tested shell is fairly slow 28 or if you are in a hurry; will cover more ground faster, but 29 less systematically. 30 314) Watch for crashes in out_dir/crashes/. Also watch for any new files 32 created in cwd if you're interested in non-crash RCEs (files will be 33 created whenever the shell executes "foo>bar" or something like 34 that). You can correlate their creation date with new entries in 35 out_dir/queue/. 36 37 You can also modify the bash binary to directly check for more subtle 38 fault conditions, or use the synthesized entries in out_dir/queue/ 39 as a seed for other, possibly slower or more involved testing regimes. 40 41 Expect several hours to get decent coverage. 42 43--- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100 44+++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200 45@@ -371,6 +371,14 @@ 46 env = environ; 47 #endif /* __OPENNT */ 48 49+ { 50+ 51+ static char val[1024 * 16]; 52+ read(0, val, sizeof(val) - 1); 53+ setenv("TEST_VARIABLE", val, 1); 54+ 55+ } 56+ 57 USE_VAR(argc); 58 USE_VAR(argv); 59 USE_VAR(env); 60