In this section, we will see how to set up our system to understand the internal details of Shellshock vulnerability:

1. The first step to perform will be to check the version of Bash on the Linux system so that we can find out if our system is vulnerable to Shellshock. To check our version of Bash, run the following command:

Bash versions through 4.3 have been reported to be vulnerable to Shellshock. For our example, we are using Ubuntu 12.04 LTS, desktop version. From the output in the preceding screenshot, we can understand that this system is vulnerable.

2. Now, let's check if the vulnerability actually exists or not. To do so, we run the following code:

Once we run the preceding command, if the output has shellshock printed, it confirms the vulnerability.

3. Now, let's understand the insights of the vulnerability. For this, first, we need to understand the basics of Bash shell variables.

4. If we want to create a variable named testvar in bash and store a value of 'shellshock' in it, we must run the following command:

 testvar="shellshock'

Now, if we wish to print the value of this variable, we can use the echo command, as follows:

          echo $testvar

5. Now, we will open a child process of bash by running the bash command. Then, one again, we to try to print the value of the variable testvar in the child process:

We can see that we are not able to get any output when we try to print the value in the child process.

6. Now, we will try to do the same thing by using environment variables of bash. When we start a new shell session of bash, a few variables are available for use, and these are called environment variables.
7. To make our testvar variable an environment variable, we will export it. Once exported, we can use it in the child shell also, as follows:

8. As we have defined variables and then exported them, in the same way, we can define a function and export it as well, in order to make it available in a child shell. The following steps show how to define a function and export it:

We can see in the preceding example that the function x has been defined and it has been exported using the -f flag.

9. Now, let's define a new variable, name it testfunc, and assign its value, as follows:

    testfunc='() { echo 'shellshock';}'

The previously defined variable can be accessed in the same way as a regular variable is:

    echo $testfunc

10. Next, we will export this variable to make to an environment variable and then try to access it from the child shell, as shown in the following screenshot:

We can see something unexpected in the preceding result. In the parent shell, the variable is accessed as a normal variable. However, in the child shell, it gets interpreted as a function and executes the body of the function.

11. Next, we will terminate the definition of the function and then pass any arbitrary command, as follows:

In the preceding example, we can see that as soon as we start a new bash shell, the code that was defined outside the function is executed during the startup of bash.

This is the vulnerability in bash shell.