Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - rated 10 !

Linux_Kidd · 09-30-2014, 10:55 AM

so now -026 is not a full fix either ??
https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6278

but RH says "well, we think -026 is good enough"
https://access.redhat.com/security/cve/CVE-2014-6278

who exactly do they have coding this stuff? seems be to a break-down in quality coders here.

Linux_Kidd · 09-30-2014, 01:29 PM

a wrapper using perl. some rev's of OS dont have the patches available, so perhaps you wrap it, etc.

Code:

[admin@firefry ~]$ cat bashfilter.pl
#!/bin/env perl

# bashfilter.pl 
#
# This removes all environment variables beginning with "() {", which effectively disables bash's 'export -f' feature.
# As a side effect of disabling function exporting, attempts to exploit CVE-2014-6271 are blocked.
#
# To install, rename bash to bash.unsafe and link or move this script into place in its place.
# Be sure to have an account with an alternate shell available, and test before exiting your current shell.

use strict;
use warnings;
use diagnostics;

use Sys::Syslog;

my $UNSAFE_BASH;

$UNSAFE_BASH=$0 . ".unsafe" unless $UNSAFE_BASH;

foreach my $var (keys %ENV) {
        my $value=$ENV{$var};
        if ($value =~ /^\(\) {/) {
                delete $ENV{$var};
                openlog('bashfilter','ndelay,nofatal,perror','local0');
                syslog('warning',
                  "Blocked potential CVE-2014-6271 exploit attempt: var '%s' with value '%s' removed from environment.", $var, $value);
                closelog();
        }
}

exec { $UNSAFE_BASH } $0, @ARGV or die("Could not exec unsafe bash: $!");

[admin@firefry ~]$ ln -sf ./bashfilter.pl bash
[admin@firefry ~]$ ln -sf $(which bash) bash.unsafe
[admin@firefry ~]$ export BADVAR='() { x; } ; echo Gotcha!'
[admin@firefry ~]$ bash -c true
Gotcha!
[admin@firefry ~]$ ./bash -c true
[admin@firefry ~]$ sudo tail -n 1 /var/log/messages
Sep 26 10:32:31 firefry bashfilter: Blocked potential CVE-2014-6271 exploit attempt: var 'BADVAR' with value '() { x; } ; echo Gotcha!' removed from environment.
[admin@firefry ~]$

Linux_Kidd · 09-30-2014, 02:07 PM

i am not an SME with any of the shells, but what does invoking bash with --posix option get us in way of mitigating the issue at hand, if anything?

suicidaleggroll · 09-30-2014, 02:15 PM

Quote:

Originally Posted by taikedz

I second this - but I still don't understand why parsing to allow function definitions in env variables is suported at all - it just screams of injection!

Ars seems to be on the right track, it'd probably just be safer to turn off the parsing (if such a bash variant already exists please tell me where!) http://arstechnica.com/security/2014...-whack-a-mole/

Let me know if you find anything, I'd jump at the change to swap out bash on my systems with one that does not parse environment variables for functions. Maybe I'll take a peak at the source code and see how difficult it would be to turn it off...I can't imagine it would be that hard.

rwilcher · 10-08-2014, 06:49 AM

. Somebody might find this useful. I did, running old stuff like I do. It's a source patch.
out of style I know. But I like to see WTH is going on. Hope this isn't inappropriate . Asbestos
underwear at the ready.

#from the superuser.com website.
#
#Stole this from AskUbuntu, from someone who stole it off of Hacker News.
#Worked on two old servers for me

mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 28); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd ..
cd ..
rm -r src

business_kid · 10-15-2014, 12:47 PM

Nice one, rwilcher.

I hesitated to post on a thread with 79 posts already. I built bash with the script, and installed it in two machines. The script on shellshocker.net passes 100% on the patched bash version, but the page also has individual tests, one of which fails.

Exploit 7: CVE-2014-6277

Code:

bash-4.3$ bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
Segmentation fault
vulnerable
bash-4.3$

I'm not supposed to see the word 'vulnerable' :-/.

I'm not in a position to make meaningful comment on this stuff - how valid the tests are, etc.
I will leave that to others.

unSpawn · 10-15-2014, 02:11 PM

Destickified thread.