I am learning about the ShellShock vulnerability and I wanted to test older versions of Bash.
I downloaded Bash 4.2 from GNU website. After extracting the content, I compiled it based on GNU guide like that:
bash ./configure
make
After it finished I run the following exploit to see if the bash is vulnerable:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
But it didn't print "vulnerable" which means that it isn't vulnerable and I don't understand why:
root@ubuntu:~/Desktop/bash-4.2# ./bash
root@ubuntu:~/Desktop/bash-4.2# echo $BASH_VERSION
4.2.0(1)-release
root@ubuntu:~/Desktop/bash-4.2# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
root@ubuntu:~/Desktop/bash-4.2#
Use ./bash instead of bash; your current attempt ends up executing the default system Bash instance, which should hopefully indeed not be vulnerable.
As a rule, the current directory is not included in the PATH, and should not be, for reasons exactly like this.