## https://sploitus.com/exploit?id=29315751-D5BA-5783-B858-B1200F66225F
# CVE-2014-6271 - Shellshock PoC
## Summary
CVSS 10.0. Bash improperly parses trailing commands after a function
definition stored in an environment variable, executing them during
shell initialization.
## Root cause
Bash environment variables can encode function definitions:
x='() { :; }'
When bash imports this as an env var and initializes, it parses the
function body but fails to stop parsing after the closing brace,
executing whatever text follows as a command.
## Build
docker build -t shellshock-poc .
## Reproduce
docker run --rm -it shellshock-poc
env x='() { :;}; echo VULNERABLE' bash -c "echo test"
## Expected output (vulnerable)
VULNERABLE
test
## Patched comparison
[patched Dockerfile / output here]
## Real-world vector
CGI scripts calling bash with attacker-controlled headers (e.g. User-Agent)
get those headers set as env vars โ attacker-controlled env var reaching
bash init is the actual attack surface, not just interactive shell use.
## Fix
Upstream patch enforces that parsing stops at the function definition's
closing brace. CVE-2014-7169 covers a follow-up incomplete-fix bypass.