# Linux Bash security flaw - September 2014

Sep 24, 2014 threads:

* <http://www.metafilter.com/143038/Running-a-server-Drop-everything-and-update-it-now>
* <https://news.ycombinator.com/item?id=8361574>
* <https://news.ycombinator.com/item?id=8364746>
* <https://news.ycombinator.com/item?id=8365158>
* <https://news.ycombinator.com/item?id=8365110>

Stories:

* <http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html>
* <http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html>
* <http://www.zdnet.com/unixlinux-bash-critical-security-hole-uncovered-7000034021/>
* <http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/>
* <https://www.invisiblethreat.ca/2014/09/cve-2014-6271/>

To test if machine is vulnerable, execute at the command prompt:

`env x='() { :;}; echo vulnerable' bash -c "echo this is a test"`


On my Digital Ocean-hosted Ubuntu server, the system returned:

`vulnerable  
this is a test`

I updated Bash by executing:

    sudo apt-get update &amp;&amp; sudo apt-get install --only-upgrade bash


Then after executing `env x='() { :;}; echo vulnerable' bash -c "echo this is a test"` again, the system returned:

    bash: warning: badvar: ignoring function definition attempt 
    bash: error importing function definition for `badvar'
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

But as of Sep 24, 2014, the update is only a partial fix.

I tested the servers that host my other sites, and those servers did not show the vulnerability.  I would not be able to update those servers, since my accounts exist on shared servers.

Web server CGI apps seem to be vulnerable. MeFi [comment](http://www.metafilter.com/143038/Running-a-server-Drop-everything-and-update-it-now#5747836)

<div class="highlighted" markdown="1">
... here's something from my web server logs:

`"GET / HTTP/1.0" 200 616 "() { :; }; ping -c 11 209.126.230.74"`

(this from a full ipv4 netblock scan being run by a security researcher). If my web server had been serving its homepage from a cgi script that invoked bash anywhere at all, at any point during the construction of the homepage, the consequence would have been a series of pings to the researcher's server. If you can run ping, you can run almost anything you like, including downloading a rootkit &amp; going to town on the local server.
</div>

Another MeFi [comment](http://www.metafilter.com/143038/Running-a-server-Drop-everything-and-update-it-now#5747838) :

<div class="highlighted" markdown="1">
[This](https://www.invisiblethreat.ca/2014/09/cve-2014-6271/) is a good write-up of the issue and includes examples of the commands used.

The most basic example is something like:

`curl -A "() { :; }; /bin/id >/tmp/vulnerable" http://example.com/`

This requests the page / on the site example.com sending a user-agent designed to trigger the bug and write the output of the command /bin/id to a file.
</div>



 #linux - #security

markdown=yes