Linux Bash security flaw - September 2014

Sep 24, 2014 threads:

Stories:

To test if machine is vulnerable, execute at the command prompt:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

On my Digital Ocean-hosted Ubuntu server, the system returned:

vulnerable this is a test

I updated Bash by executing:

sudo apt-get update &amp;&amp; sudo apt-get install --only-upgrade bash

Then after executing env x='() { :;}; echo vulnerable' bash -c "echo this is a test" again, the system returned:

bash: warning: badvar: ignoring function definition attempt 
bash: error importing function definition for `badvar'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

But as of Sep 24, 2014, the update is only a partial fix.

I tested the servers that host my other sites, and those servers did not show the vulnerability. I would not be able to update those servers, since my accounts exist on shared servers.

Web server CGI apps seem to be vulnerable. MeFi comment

... here's something from my web server logs:

"GET / HTTP/1.0" 200 616 "() { :; }; ping -c 11 209.126.230.74"

(this from a full ipv4 netblock scan being run by a security researcher). If my web server had been serving its homepage from a cgi script that invoked bash anywhere at all, at any point during the construction of the homepage, the consequence would have been a series of pings to the researcher's server. If you can run ping, you can run almost anything you like, including downloading a rootkit & going to town on the local server.

#linux - #security

From JR's : articles
275 words - 2156 chars - 1 min read
created on Sep 25, 2014 at 09:06:10 am
updated on Sep 25, 2014 at 09:31:17 am - #
source - versions

Related articles
Linux Bash security flaw - September 2014 - Sep 25, 2014