SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For those of you like me who really don't like the idea of bash parsing environment variables to define functions, I've written a small wrapper that you may like to try. I originally wrote it to work around a problem invoking bash as sh via 'su' but it wasn't that hard to add a bit of code that will remove anything that looks like a function definition from the environment as well.
Disclaimer: I'm not much of a programmer, so provided as-is, use at your own risk and all that. And for gods sake test it thoroughly before you go replacing /bin/sh with it.
This should protect anything that calls /bin/sh such as programs that call popen() or system(), but won't do anything for things that invoke /bin/bash directly.
UPDATE2: Seems I broke the original function of my wrapper when adding the shell-shock protections, so I've removed it from this post as it doesn't give you anything over the one on post #3. The one on post #3 does work however, so if you want to use a wrapper to protect yourself then that's the one to use. Sorry for the confusion.
It's a cool idea. However, as you said /bin/bash can still be called directly, which is risk that is not fixed by this. I think the better option is to just disable the feature in bash directly.
/bin/bash can be wrapped in a similar manner. The problem with trying to patch bash itself at present is that its a moving target with all the frantic activity going on at present. Seemed much easier to just wrap it while things settle down (especially as I was already using the wrapper to fix the su issue).
I've attached a simplified version of the bash-wrapper that can be used for /bin/bash itself, without all the stuff to do with fixing 'su'.
We independently developed a bash wrapper that is very similar. The main difference is rather than remove the environment variables, we 'clean' them. Cleaning is done by replacing any occurance of '()' with blanks, replaced characters beyond ASCII 127 with blanks, and setting the LANG and LC_ALL variables to C if they exist.
I've pasted all 81 lines of it below:
Code:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#define ORIGINAL_BASH "/bin/bash-broken"
/* cbash: Bash wrapper to defeat ShellShock exploit
Before calling bash, filter all strings '()' from environmental variables.
Expoits use these to cloak arbitrary commands to the bash evaluator
*/
int main(int argc, char *argv[], char *envp[])
{
char *pos, **e;
/* If --version option sent, print cbash version and then continue */
e = argv;
while (*e) {
if (strcmp(*e,"--version")==0) {
/* Print version info */
printf("-----------------------------------------\n");
printf("cbash, version 1.1\n");
printf("Bash wrapper to defeat ShellShock exploit\n");
printf("Original bash executable: '%s'\n", ORIGINAL_BASH);
printf("-----------------------------------------\n");
break;
}
*e++;
}
/* Verify that original bash exists and is executable */
if ( access( ORIGINAL_BASH, F_OK) == -1 ) {
printf("ERROR: Original bash file '%s' does not exist\n", ORIGINAL_BASH);
exit(1);
}
if ( access( ORIGINAL_BASH, X_OK) == -1 ) {
printf("ERROR: Original bash file '%s' is not executable\n", ORIGINAL_BASH);
exit(1);
}
/* Clean the environment stored in *envp[] */
e = envp;
while (*e) {
/* Overwrite () in environment variable to defeat shellshock hack */
pos = strstr(*e, "()");
if (pos) {
*pos++ = ' ';
*pos = ' ';
}
/* Replace non-ascii characters with blanks */
/* NOTE: Older compilers (?) require (unsigned char) below */
pos = *e;
while (*pos) {
if ( (unsigned char) *pos>127) *pos = ' ';
*pos++;
}
/* Replace values of LANG and LC_ALL with "C" */
if (strncmp(*e,"LANG=",5)==0) {
if (strlen(*e)>5) {
(*e)[5] = 'C';
(*e)[6] = 0;
}
} else if (strncmp(*e, "LC_ALL=", 7)==0) {
if (strlen(*e)>7) {
(*e)[7] = 'C';
(*e)[8] = 0;
}
}
*e++;
}
/* Exec old bash with a cleaned envionment */
execve(ORIGINAL_BASH, argv, envp);
}
Last edited by unSpawn; 10-06-2014 at 05:31 PM.
Reason: //Add vBB code tags.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
