[Nottingham] Shellshock
Martin
martin at ml1.co.uk
Tue Sep 30 13:59:40 UTC 2014
... And we have bash around three as ably described by The Register:
Third patch brings more admin Shellshock for the battered and Bashed
'Okay we got it THIS time'
http://www.theregister.co.uk/2014/09/30/third_patch_brings_more_admin_shellshock_for_the_battered_and_bashed/
This latest test variation is already cleaned up on Gentoo:
foo='() { echo not patched; }' bash -c foo
I'm seeing a lot of extra activity against various websites... :-|
Hope this all proves to be a positive wake-up call!
Cheers,
Martin
On 28/09/14 20:24, Martin wrote:
> On 28/09/14 18:13, Bob Marshall wrote:
>> Hello. I ran the following in a terminal window: /ls -l /bin/sh/ and the
>> reported shell was *DASH*, rather than *BASH*. I understand *DASH* has
>> been used in DebIan/Ubuntu for quite a long time, and I can find no
>> mention of vulnerability to Shellshock anywhere on the forums.
>>
>> Does anyone know if this is right or not?
>
> Briefly, dash is different and more recent code than bash. AFAIK dash is
> not affected.
>
> Just to test that:
>
>
> On an UNPATCHED system:
>
>
> $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
> vulnerable' bash -c "echo test"
> vulnerable
> bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
> bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
> bash: error importing function definition for `BASH_FUNC_x'
> test
>
> $ dash
> #
> # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
> vulnerable' bash -c "echo test"
> vulnerable
> bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
> bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
> bash: error importing function definition for `BASH_FUNC_x'
> test
>
> # env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
> vulnerable' dash -c "echo test"
> test
>
> # exit
> $
> $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
> vulnerable' dash -c "echo test"
> test
> $
>
>
> So... That little sequence shows that for an unpatched bash you are
> indeed vulnerable to that little exploit.
>
> You are also still vulnerable if you call bash from dash.
>
> If you stay in dash you are not vulnerable to that exploit.
>
>
> And on a PATCHED system:
>
> $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo
> vulnerable' bash -c "echo test"
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> bash: error importing function definition for `BASH_FUNC_x()'
> test
>
> $
>
> So ok there.
>
>
>
>
> So... Either, patch up your bash or delete it.
>
> "dash" indeed looks to be not vulnerable but regardless, "bash" could
> still be called up if installed on your system...
>
>
> Hope that clears things up :-)
>
> Cheers,
> Martin
>
>
>
>
>> *Sent:* Sunday, September 28, 2014 at 2:25 PM
>> *From:* "Going It Alone"
>> *To:* "Notts GNU/Linux Users Group"
>> *Subject:* Re: [Nottingham] Shellshock
>> Thanks.
>>
>> Here's a simple test to see if you are vulnerable.
>>
>>
>> env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
>>
>> Source:
>> http://www.linuxquestions.org/questions/mageia-97/bash-shellshock-cve-2014-6271-cve-2014-7169-protecting-yourself-from-shellshock-4175520323/
--
- ------------------ - ----------------------------------------
- Martin Lomas - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from hkp://subkeys.pgp.net or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg
More information about the Nottingham
mailing list