Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
a wrapper using perl. some rev's of OS dont have the patches available, so perhaps you wrap it, etc.
Code:
[admin@firefry ~]$ cat bashfilter.pl
#!/bin/env perl
# bashfilter.pl
#
# This removes all environment variables beginning with "() {", which effectively disables bash's 'export -f' feature.
# As a side effect of disabling function exporting, attempts to exploit CVE-2014-6271 are blocked.
#
# To install, rename bash to bash.unsafe and link or move this script into place in its place.
# Be sure to have an account with an alternate shell available, and test before exiting your current shell.
use strict;
use warnings;
use diagnostics;
use Sys::Syslog;
my $UNSAFE_BASH;
$UNSAFE_BASH=$0 . ".unsafe" unless $UNSAFE_BASH;
foreach my $var (keys %ENV) {
my $value=$ENV{$var};
if ($value =~ /^\(\) {/) {
delete $ENV{$var};
openlog('bashfilter','ndelay,nofatal,perror','local0');
syslog('warning',
"Blocked potential CVE-2014-6271 exploit attempt: var '%s' with value '%s' removed from environment.", $var, $value);
closelog();
}
}
exec { $UNSAFE_BASH } $0, @ARGV or die("Could not exec unsafe bash: $!");
[admin@firefry ~]$ ln -sf ./bashfilter.pl bash
[admin@firefry ~]$ ln -sf $(which bash) bash.unsafe
[admin@firefry ~]$ export BADVAR='() { x; } ; echo Gotcha!'
[admin@firefry ~]$ bash -c true
Gotcha!
[admin@firefry ~]$ ./bash -c true
[admin@firefry ~]$ sudo tail -n 1 /var/log/messages
Sep 26 10:32:31 firefry bashfilter: Blocked potential CVE-2014-6271 exploit attempt: var 'BADVAR' with value '() { x; } ; echo Gotcha!' removed from environment.
[admin@firefry ~]$
Last edited by Linux_Kidd; 09-30-2014 at 01:40 PM.
I second this - but I still don't understand why parsing to allow function definitions in env variables is suported at all - it just screams of injection!
Let me know if you find anything, I'd jump at the change to swap out bash on my systems with one that does not parse environment variables for functions. Maybe I'll take a peak at the source code and see how difficult it would be to turn it off...I can't imagine it would be that hard.
. Somebody might find this useful. I did, running old stuff like I do. It's a source patch.
out of style I know. But I like to see WTH is going on. Hope this isn't inappropriate . Asbestos
underwear at the ready.
#from the superuser.com website.
#
#Stole this from AskUbuntu, from someone who stole it off of Hacker News.
#Worked on two old servers for me
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 28); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd ..
cd ..
rm -r src
I hesitated to post on a thread with 79 posts already. I built bash with the script, and installed it in two machines. The script on shellshocker.net passes 100% on the patched bash version, but the page also has individual tests, one of which fails.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.