Is your Linux box protected from “ShellShock”

A major security vulnerability has been discovered in the GNU Bash (Bourne Again Shell) for the Linux operating system. System administrators running Red Hat Enterprise , Fedora, CentOS, Ubuntu, and Debian distributions will want to update to the latest release of the Bash package. This vulnerability affects Bash versions 1.14 – 4.3 which is even included in the 10.9.4 releases of the Apple OS X operating system also known as Mavericks. Even if you are running another distribution of Linux such as Mint or Zorin this does not exclude you from being affected by this vulnerability. Forks of Red Hat and Debian based distributions will very likely be running Bash and need to be patched.

 

Is my system affected?

From a bash prompt type the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

On a system that is not protected you will receive a response of:

1
2
vulnerable
this is a test

 If you system is patched and/or not vulnerable to the ShellShock Bug you will see:

1
2
3
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for 'x'
 this is a test

 To update your OS run one of the following commands depending on your distribution:

Red Hat, Fedora, and CentOS

yum update

Debian, Ubuntu, and Mint

apt-get update
apt-get upgrade

Apple OS X 10.9.5 (Requires Xcode to be installed)

mkdir bash-fix
cd bash-fix
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0 
# Note: The bash23-053 patch does not apply cleanly on OSX because
# of a missing y.tab.c file. This can be ignored or the alblue
# one used instead. Upstream commits the y.tab.c file so doesn't
# have that problem.
# Not-yet-released-patch - replace alblue.bandlem.com line with:
# curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0 
curl http://alblue.bandlem.com/bash32-053.patch | patch -p0
cd ..
xcodebuild
sudo cp /bin/bash /bin/bash.old
sudo cp /bin/sh /bin/sh.old
build/Release/bash --version # GNU bash, version 3.2.53(1)-release
build/Release/sh --version # GNU bash, version 3.2.53(1)-release
sudo cp build/Release/bash /bin
sudo cp build/Release/sh /bin

For more information on patching your OS X version of Bash please visit: http://apple.stackexchange.com

 

Why should I worry?

This vulnerability would allow a malicious user to remotely run a  command on your system if they have access to a bash shell or with a website account that has the ability to execute CGI script. This would allow them to add or delete files, download personal documents or pictures, or even format your hard drive. If you are running a non unix/linux based operating system you will not be affected by this particular vulnerability. You should however stay current on your updates for your operating system regardless of which one you are running. Similar security flaws are uncovered on a regular basis for all operating systems regardless of the platform. Even your phone runs an operating system that can be open to attack from various bugs in code.

 

Demonstration of Remotely Executing Commands via CGI

About Brian Aldridge

I am a software developer and podcaster. Catch me weekly on Infection - The Survival Podcast at https://infectionpodcast.com

Leave a Reply