[schrodingersCat]

I just tried this in zsh 5.0.6 (x86_64-apple-darwin13.3.0). It reports vulnerable as well.

edit: Yes, this feature works when formatted correctly for zsh as "function ls () { echo vulnerable }". However, I was wrong in that zsh -c will not run the function (of course running "ls" in the same session will). I'm going to call this not a problem.

edit: When trying this one-liner in zsh: "env x='() { :;}; echo vulnerable' zsh -c 'echo hello'" (as suggested by https://superuser.com/questions/816622/does-the-shellshock-b...), the output indicates my shell is vulnerable. Could someone please try and replicate?

[daveloyall]

Yeah, it's a feature, working as intended.

This is how you define a shell function and then use it in sub-scripts.

As the author noted, using this as an exploit requires control of the variable names, and common tools (httpd, dhclient, etc) that set variables in environment have explicit naming conventions in place to prevent this.

To be clear: I'll change my tune if someone finds a way to exploit this remotely.

[bodyfour]

Yes, if you have full control over the environment you can make all sorts of havoc ($PATH, $LD_PRELOAD, ...) What made shellshock special is that you only needed to control the value of a variable, not its name.

I don't see how this qualifies as much of a vulnerability. Maybe now that bash's imported-function feature is better known we'll see it leveraged as part of a multi-step attack though.

[Arkanosis]

> I just tried this in zsh 5.0.6

Do you mean that you run bash -c in zsh, or that you run zsh -c ?

[schrodingersCat]

Good call. I posted an edit to my original comment. zsh -c won't run the function outside of the current session. The "extra step" needed to add functions to the environment variables seems to make zsh much more secure than bash in the context of this discussion (perhaps?). This SE thread was really helpful to me in clarifying: https://unix.stackexchange.com/questions/33255/how-to-define...

[viraptor]

I really don't think it does. zsh doesn't load functions that way at all. Did you copy the bash command when you were testing by any chance?

[schrodingersCat]

I posted an edit to my original comment. I meant that the equivalent defining of a function (in zsh) does work, but zsh -c won't run the function unless you permanently add the function to your env.