Linux Bash security flaw - September 2014
Sep 24, 2014 threads:
- http://www.metafilter.com/143038/Running-a-server-Drop-everything-and-update-it-now
- https://news.ycombinator.com/item?id=8361574
- https://news.ycombinator.com/item?id=8364746
- https://news.ycombinator.com/item?id=8365158
- https://news.ycombinator.com/item?id=8365110
Stories:
- http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html
- http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html
- http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/
- http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/
- https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
To test if machine is vulnerable, execute at the command prompt:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
On my Digital Ocean-hosted Ubuntu server, the system returned:
vulnerable
this is a test
I updated Bash by executing:
sudo apt-get update && sudo apt-get install --only-upgrade bash
Then after executing env x='() { :;}; echo vulnerable' bash -c "echo this is a test" again, the system returned:
bash: warning: badvar: ignoring function definition attempt
bash: error importing function definition for `badvar'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
But as of Sep 24, 2014, the update is only a partial fix.
I tested the servers that host my other sites, and those servers did not show the vulnerability. I would not be able to update those servers, since my accounts exist on shared servers.
Web server CGI apps seem to be vulnerable. MeFi comment
... here's something from my web server logs:
"GET / HTTP/1.0" 200 616 "() { :; }; ping -c 11 209.126.230.74"
(this from a full ipv4 netblock scan being run by a security researcher). If my web server had been serving its homepage from a cgi script that invoked bash anywhere at all, at any point during the construction of the homepage, the consequence would have been a series of pings to the researcher's server. If you can run ping, you can run almost anything you like, including downloading a rootkit & going to town on the local server.
Another MeFi comment :
This is a good write-up of the issue and includes examples of the commands used.
The most basic example is something like:
curl -A "() { :; }; /bin/id >/tmp/vulnerable" http://example.com/
This requests the page / on the site example.com sending a user-agent designed to trigger the bug and write the output of the command /bin/id to a file.
https://twitter.com/PaulM/status/514935254478364672
The #shellshock bash bug is not the end of the embedded world. Most embedded devices use busybox, which is not vulnerable.
https://twitter.com/PaulM/status/514868690266103808
Your Debian-derived distro probably does not suffer an exploitable bash bug. /bin/sh is linked to dash which is safe
https://twitter.com/PaulM/status/514866629071495168
To clarify: Your ubuntu bash has the bug. Your CGI programs are calling /bin/sh which does not have the bug.
From JR's : articles
403 words - 3125 chars
- 2 min read
created on
updated on
- #
source
- versions