LinuxQuestions.org
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - vulnerability in bash (https://www.linuxquestions.org/questions/debian-26/bash-shellshock-cve-2014-6271-cve-2014-7169-vulnerability-in-bash-4175519968/)

descendant_command 09-26-2014 03:14 AM
Quote:
Originally Posted by charly78 (Post 5244401)
If you run a webserver
I know this is just some guy making a point but he got my server (209.126.*.* notsureprivacy why I did that)
grep bash /var/log/apache2/access.log
209.126.*.* - - [24/Sep/2014:16:58:12 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 216.75.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
209.126.*.* - - [24/Sep/2014:18:49:15 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 209.126.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

grep "\(?\s*_*\s*\)?\s*{|cgi" /var/log/apache2/access.log

grep /bin /var/log/apache2/access.log
89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
anyone good at filters for fail2ban maybe we can make a filter that helps keep folks at bay
You're giving 200 responses to those scans.
My (updated) servers are returning 403 to them.

cccc 09-26-2014 08:50 AM
check & patch for "Shellshock"
 
We're using servers & self-made thin clients with Debian Squeeze.

Where can I download just a patch instead of apt-get upgrade?

Dutch Master 09-26-2014 11:09 AM
You aren't really looking, aren't you? :rolleyes:

OK, this once as it's important: http://www.linuxquestions.org/questi...sh-4175519968/

unSpawn 09-26-2014 01:41 PM
// Thread merged if necessary, renamed to include CVE numbers and popular name and stickied. Please keep the distribution-specific discussion here, else see https://www.linuxquestions.org/quest...-a-4175519975/. Please let me know if you spot similar topic threads to merge.

cccc 09-26-2014 03:40 PM
Quote:
Originally Posted by akiuni (Post 5244572)
Hello Charly78

I apologies for the link I gave you, it redirects to a french server and I'm not sure that you can access it from your location.
you should be able to download the patches from aptitude or apt-get but if it doesn't, you can download them directly from the debian repository :

using ftp client : ftp://ftp.debian.org
navigate to /debian/pool/main/b/bash/

localize and download the file you need : bash_4.1-3+deb6u2_amd64.deb should suite for you.

bests
Julien
I've tried this patch on my Squeeze, but still vulnerable.

charly78 09-26-2014 11:12 PM
I have patched all the versions and it is like this you have two ways the binary package pre made from your debian or type of debian distro or compile it from source.

I first test it in a console

Code:
env x='() { :;}; echo vulnerable' bash -c "echo testing this"
It should look like this if its patched

Code:
# env x='() { :;}; echo vulnerable' bash -c "echo testing this"
bash: warning: x: ignoring function definition attempt                                                                                                                                                 
bash: error importing function definition for `x'                                                                                                                                                       
testing this
Then I do the usual using super user account (root) or sudo depending on your version or type of Debian.
Code:
apt-get update ; apt-get install bash
if it updates you are covered for some of the major parts of the CVE-2014 numbers but will have to wait for the dust to settle before the latest patches like the 2 most recent patches that have been entered into today. You are done you can call it a day and you will pass and avoid most the kiddies on the net testing for openings for some fun.

if it tells you you are already uptodate then you need to find out what you are running

Code:
dpkg-query -l|grep bash
# dpkg-query -l|grep bash                                                                                                                                                               
ii  bash                                                      4.3-9.1                            amd64        GNU Bourne Again SHell
As you can see I have 4.3. Next you find a mirror that is not busy (main ones where impossible to get on today, busy) http://www.gnu.org/server/mirror.html
and look for where they have the bash files

I used one from germany. You will find patches going as far back from today fixing the issues as far back as version 2

So just cd to your source directory (You can use a different dir if you want) then wget the version or the latest if you want (check for dependencies. Easiest is to get the code you already have running example if you have 3.2 go get version 3.2.
then you untar gzip it and change to that directory and go get the patches right into the directory and patch it!

Code:
cd /usr/src
wget ftp://ftp.hawo.stw.uni-erlangen.de/gnu/bash/bash-4.2.tar.gz
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for the above example if you have a different version get that version

here is example of me changing to the directory and patching it.

Code:
cd /usr/src/bash-4.3
for i in $(seq -f "%03g" 1 26); do
wget -nv ftp://ftp.hawo.stw.uni-erlangen.de/gnu/bash/bash-4.3-patches/bash43-$i
patch -p0 < bash43-$i
done
You will note I have 4.3 and you might change to a different directory with your version.
seq -f "%03g" 1 26
above you need to see how many patches are in there. at the time of writing this there are 26 patches and it starts at 1. if your using 3.2 there is 53 patches so you would change these number in the example above to
seq -f "%03g" 1 53
and of course the two parts where it is
bash43-$i
to
bash32-$i

and press enter

when you are done you should have a mess of patching , maybe even warnings like illegal names.

finally you need to compile and install this with this command.

Code:
./configure && make && make install
then you are left with a whole bunch of stuff for a bit on your screen. You may need to install some files if it seems to fail. when its done you can test this again first move the old to a old file and the new link

Code:
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash
then test the old and the new
Code:
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo
i would rm (remove the old

Code:
rm /bin/bash.old
Then you good til the next patch comes out although you would need in my case to increase the 26 to a 27 or what ever if they added more patches. as of writing this you are uptodate of all the known issues ( well , if they find more then ...)

I hope that helps i did this in this order so many times yesterday!

Also its not perfect but theres a fail2ban filter now out that might help a little more if your watching your apache2 logs like some of us. just look through some of my posts or go to the fail2ban site I put it up in there

gmelchio 10-02-2014 08:31 AM
Quote:
Originally Posted by charly78 (Post 5244254)
ok for debian 5 Lenny I had to compile I have done 3 servers that I did in 2008 and it seems to work here is what I did you may need to sub in the version of bash you are using or check the server for the right directory or files.

#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell

#i am doing everything in the /usr/src dir
cd /usr/src
wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
tar zxvf bash-4.1.tar.gz
cd bash-4.1

# download and apply all patches, including the latest one that patches CVE-2014-6271
#note if you are on say older version like 3.2 of bash I would use
#for i in $(seq -f "%03g" 1 52); do since 3.2 has patches up to 52
for i in $(seq -f "%03g" 0 12); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i
patch -p0 < bash41-$i
done

# compile and install to /usr/local/bin/bash
./configure && make
make install

# point /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash

# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo

#then get rid Delete the old one thats a problem
rm /bin/bash.old

I hope this helps othere folks
Based on my experience
ln -s /usr/local/bin/bash /bin/bash doesn't work. After a reboot I got "bash no such file" and was impossible logon to the server in single-user too.
Perhaphs better cp /usr/local/bin/bash /bin/bash


All times are GMT -5. The time now is 01:11 AM.
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page