BASH vulnerability

Post your comments, questions, bug reports or suggest new features for alphaOS
Scooby
Site Admin
Posts: 826
Joined: 09 Sep 2013, 16:52

BASH vulnerability

Postby Scooby » 25 Sep 2014, 19:52

A vulnerability found in BASH dubbed shellshocked
reported as possibly worse than Heartbleed

Image


compiled a patched version with all 4.3 patches up to 30 with ASLR hardening

Bash 30 now seems to accept exported functions with hyphen "-" in name

DOWNLOAD FIX: bash_4.3.30-1_hardened.sb


put in /modules and reboot, check your system that the right bash version is in use!

Code: Select all

>  bash --version
GNU bash, version 4.3.30(1)-release


read here

http://en.wikipedia.org/wiki/Shellshock ... are_bug%29
http://www.infoq.com/news/2014/09/bash-remote-exploit

probably most severe for servers

esiest way to test vulnerability is to copy paste in terminal

Code: Select all

curl https://shellshocker.net/shellshock_test.sh | bash

Scooby
Site Admin
Posts: 826
Joined: 09 Sep 2013, 16:52

Re: BASH vulnerability

Postby Scooby » 27 Sep 2014, 19:31

Created a bundle out of sysdig.

Ordinary makesb did not work so I had to build bundle from RAM which
means that maybe some thing that doesn't belong got included

Download: sysdig

Put sb in modules/ and reboot

To make sysdig watchout for Bash shell shock attacks open a terminal and type

Code: Select all

sysdig -c shellshock_detect


Image below shows a demo of it on my system



Image

Scooby
Site Admin
Posts: 826
Joined: 09 Sep 2013, 16:52

Re: BASH vulnerability

Postby Scooby » 02 Oct 2014, 17:50

### OLD SH**. read first post ###

to test if system is vulnerable do in terminal
( in code examples ">" is the prompt in a terminal )

1. Attack vector alpha

Code: Select all

> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test


If you get "vulnerable" message above then system is just that

safe system:

Code: Select all

> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


2. Attack vector beta

Code: Select all

> env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 21:13:13 CEST 2014


if you get the date at the bottom you're vulnerable

safe system:

Code: Select all

>  env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory


3. Attack vector gamma

Code: Select all

> bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"


if you don't get the vulnerable message your system is OK

3. Attack vector theta

Code: Select all

> for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"


if you don't get the vulnerable message your system is OK

taken from http://lists.gnu.org/archive/html/bug-b ... 00238.html

------------8<----------------------------------------------------------------------------------------

So, to FULLY test whether you are still vulnerable to ShellShock, we
must come up with a test that proves that NO possible function body
assigned to a valid shell variable name can EVER cause bash to invoke
the parser without your consent. For that, I use this (all on one line,
even if my mailer wrapped it):

Code: Select all

> bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"

which is sufficient to test that both normal variables and functions can
both be exported, AND show you whether there is a collision in the
environment. Ideally, you would see the following result (immune to
shell-shock):

1 () {
2
f=1

--------------------------------------------------------------------------------------->8---------------

efgee
Expert
Posts: 115
Joined: 29 Dec 2013, 20:58

Re: BASH vulnerability

Postby efgee » 02 Oct 2014, 20:20

Thank you for the heads-up and the help provided.

Scooby
Site Admin
Posts: 826
Joined: 09 Sep 2013, 16:52

Re: BASH vulnerability

Postby Scooby » 07 Oct 2014, 17:17

Hopefully this last patch numbering 30 was the latest for a while.
and that bash now are a bit safer????


Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 3 guests

cron