Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - vulnerability in bash
 

http://arstechnica.com/security/2014...ith-nix-in-it/

I have some older servers running and I have run the
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

So apt-get update and apt-get install bash but its already the newest and it clearly from a # dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell

i am running a version that is vulnerable.

What I am looking for is a deb package or a repository that has the bash 4.1-3+deb6u1 version of lts of squeeze bash that is fixed

or how else am I do update this maybe I can just use a newer version and it will not effect anything else things are running good on these servers no need to change alot.

thanks

Hi,

it seems that the fix has only been released for wheezy so far. See: https://www.debian.org/security/2014/dsa-3032
I squeeze fix should be along soon. In the mean time as an extra precaution you can make /bin/sh point to something other than /bin/bash.

Evo2.

According to the RedHat release the vulnerability is very fresh and only patched versions of Bash are safe:
https://securityblog.redhat.com/2014...ection-attack/

I'm not sure if there is a safe Debian version ready yet. It's not in Squeeze nor Jessie, I've updated both earlier today. (but admittedly I may have missed any Bash updates in Jessie as that machine had 600+MB of updates to process)

humm Mine seems to point to dash

in the /bin directory
root root 4 Jan 10 2014 sh -> dash

~$ ls -lha /bin |grep sh
-rwxr-xr-x 1 root root 994K Apr 16 17:23 bash
-rwxr-xr-x 1 root root 115K Jan 10 2014 dash
lrwxrwxrwx 1 root root 4 Apr 16 17:23 rbash -> bash
lrwxrwxrwx 1 root root 4 Jan 10 2014 sh -> dash
lrwxrwxrwx 1 root root 4 Mar 1 2012 sh.distrib -> dash


~$ dpkg-query -l|grep bash
ii bash 4.3-7 amd64 GNU Bourne Again SHell

~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
~$

but shows i am still vulnerable

Hello

you will find the package here : ftp://ftp.fr.debian.org/debian/pool/...eb6u1_i386.deb

bests
Julien

This bug only really matters if a person is running a server, right?

What was the deal with this bug? Something was taking over bash programs?

I read this: http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271

I still don't see what the issue is. Was the bug an issue if someone had a server port open, such as SSH?

I did the apt-get update; apt-get upgrade. I also did the test, so I'm fine, I think. I disabled my SSH server when I had to deal with the moon-something mofo that got into the router; one of my old threads here.

With this bug, could someone in a remote location access my user's BASH and open a firefox window with a particular weblink?

It's always been a worry of mine that the terminal could be taken advantage of. I didn't know how, but I often considered that it could happen.

Humm the ftp://ftp.fr.debian.org/debian/pool/...eb6u1_i386.deb is giving me a
Error:
Response: 425 Failed to establish connection.

I did manage to get the file if it becomes important but realized I am 64bit but will try on older servers I have.

Unfortunately I have a feeling the /bin/sh links to korn and some others is not enough and I do not want to be part of the hype of rumors but from what I see I think there will be more detailed fixs soon. this might just be a quick fix the patches being released now.

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

The bug can currently be exploited through externally facing SSH, telnet and WEB, as well as anything that listens to the world at large and sends variable info to bash. Current 0-day's include vuln scanning for Cpanel and SSH on the net.

http://seclists.org/oss-sec/2014/q3/650

There is already a worm being found based on the exploit:

https://gist.github.com/anonymous/929d622f3b36b00c0be1

I am able to patch my debian 7 stuff but my squeeze servers I need a 64bit file and everything is telling me its all up-todate does someone have a deb repository for squeeze to patch bash.

Certainly. I outlined the process here:

http://www.linuxquestions.org/questi....php?p=5244135

thank you so much that did the trick for debian 6 and 7. Everyone check out that link. and add in the repos you need for your version and or follow what that link says.

Will be watching for updates

But what do I do about Debian 5? Anyone have repositories with a patched bash I can use?

Debian 5 is seriously obsolete, Bash is perhaps not the least but most certainly not the only issue! IMO, you should update those ASAP.

The patches outlined above did the trick for me too, on Jessie a new Bash package is available as well.

ok for debian 5 Lenny I had to compile I have done 3 servers that I did in 2008 and it seems to work here is what I did you may need to sub in the version of bash you are using or check the server for the right directory or files.

#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell

#i am doing everything in the /usr/src dir
cd /usr/src
wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
tar zxvf bash-4.1.tar.gz
cd bash-4.1

# download and apply all patches, including the latest one that patches CVE-2014-6271
#note if you are on say older version like 3.2 of bash I would use
#for i in $(seq -f "%03g" 1 52); do since 3.2 has patches up to 52
for i in $(seq -f "%03g" 0 12); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i
patch -p0 < bash41-$i
done

# compile and install to /usr/local/bin/bash
./configure && make
make install

# point /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash

# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo

#then get rid Delete the old one thats a problem
rm /bin/bash.old

I hope this helps othere folks

The patches that are out fix check this for updates
for the package manager patches
https://security-tracker.debian.org/...e-package/bash

Will probably have to patch again as more comes out. This I can only guess is to keep some of the script kiddies away.

If you run a webserver
I know this is just some guy making a point but he got my server (209.126.*.* notsureprivacy why I did that)
grep bash /var/log/apache2/access.log
209.126.*.* - - [24/Sep/2014:16:58:12 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 216.75.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
209.126.*.* - - [24/Sep/2014:18:49:15 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 209.126.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

grep "\(?\s*_*\s*\)?\s*{|cgi" /var/log/apache2/access.log

grep /bin /var/log/apache2/access.log
89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
anyone good at filters for fail2ban maybe we can make a filter that helps keep folks at bay

Hello Charly78

I apologies for the link I gave you, it redirects to a french server and I'm not sure that you can access it from your location.
you should be able to download the patches from aptitude or apt-get but if it doesn't, you can download them directly from the debian repository :

using ftp client : ftp://ftp.debian.org
navigate to /debian/pool/main/b/bash/

localize and download the file you need : bash_4.1-3+deb6u2_amd64.deb should suite for you.

bests
Julien