[Nottingham] Shellshock

Martin martin at ml1.co.uk
Sun Sep 28 19:25:10 UTC 2014 

On 28/09/14 18:13, Bob Marshall wrote:
> Hello. I ran the following in a terminal window: /ls -l /bin/sh/ and the
> reported shell was *DASH*, rather than *BASH*. I understand *DASH* has
> been used in DebIan/Ubuntu for quite a long time, and I can find no
> mention of vulnerability to Shellshock anywhere on the forums.
>  
> Does anyone know if this is right or not?

Briefly, dash is different and more recent code than bash. AFAIK dash is
not affected.

Just to test that:


On an UNPATCHED system:


$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

$ dash
#
# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
vulnerable' dash -c "echo test"
test

# exit
$
$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
vulnerable' dash -c "echo test"
test
$


So... That little sequence shows that for an unpatched bash you are
indeed vulnerable to that little exploit.

You are also still vulnerable if you call bash from dash.

If you stay in dash you are not vulnerable to that exploit.


And on a PATCHED system:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

$

So ok there.




So... Either, patch up your bash or delete it.

"dash" indeed looks to be not vulnerable but regardless, "bash" could
still be called up if installed on your system...


Hope that clears things up :-)

Cheers,
Martin




> *Sent:* Sunday, September 28, 2014 at 2:25 PM
> *From:* "Going It Alone"
> *To:* "Notts GNU/Linux Users Group"
> *Subject:* Re: [Nottingham] Shellshock
> Thanks.
>  
> Here's a simple test to see if you are vulnerable.
>  
> 
> env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
> 
> Source:
> http://www.linuxquestions.org/questions/mageia-97/bash-shellshock-cve-2014-6271-cve-2014-7169-protecting-yourself-from-shellshock-4175520323/




-- 
- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg

More information about the Nottingham mailing list