LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - vulnerability in bash (https://www.linuxquestions.org/questions/debian-26/bash-shellshock-cve-2014-6271-cve-2014-7169-vulnerability-in-bash-4175519968/)

charly78 09-24-2014 06:35 PM

Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - vulnerability in bash
 
http://arstechnica.com/security/2014...ith-nix-in-it/

I have some older servers running and I have run the
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

So apt-get update and apt-get install bash but its already the newest and it clearly from a # dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell

i am running a version that is vulnerable.

What I am looking for is a deb package or a repository that has the bash 4.1-3+deb6u1 version of lts of squeeze bash that is fixed

or how else am I do update this maybe I can just use a newer version and it will not effect anything else things are running good on these servers no need to change alot.

thanks

evo2 09-24-2014 07:46 PM

Hi,

it seems that the fix has only been released for wheezy so far. See: https://www.debian.org/security/2014/dsa-3032
I squeeze fix should be along soon. In the mean time as an extra precaution you can make /bin/sh point to something other than /bin/bash.

Evo2.

Dutch Master 09-24-2014 07:56 PM

According to the RedHat release the vulnerability is very fresh and only patched versions of Bash are safe:
https://securityblog.redhat.com/2014...ection-attack/

I'm not sure if there is a safe Debian version ready yet. It's not in Squeeze nor Jessie, I've updated both earlier today. (but admittedly I may have missed any Bash updates in Jessie as that machine had 600+MB of updates to process)

charly78 09-24-2014 09:37 PM

humm Mine seems to point to dash

in the /bin directory
root root 4 Jan 10 2014 sh -> dash

~$ ls -lha /bin |grep sh
-rwxr-xr-x 1 root root 994K Apr 16 17:23 bash
-rwxr-xr-x 1 root root 115K Jan 10 2014 dash
lrwxrwxrwx 1 root root 4 Apr 16 17:23 rbash -> bash
lrwxrwxrwx 1 root root 4 Jan 10 2014 sh -> dash
lrwxrwxrwx 1 root root 4 Mar 1 2012 sh.distrib -> dash


~$ dpkg-query -l|grep bash
ii bash 4.3-7 amd64 GNU Bourne Again SHell

~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
~$

but shows i am still vulnerable

akiuni 09-25-2014 04:02 AM

Hello

you will find the package here : ftp://ftp.fr.debian.org/debian/pool/...eb6u1_i386.deb

bests
Julien

Cyberman 09-25-2014 06:18 AM

This bug only really matters if a person is running a server, right?

What was the deal with this bug? Something was taking over bash programs?

I read this: http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271

I still don't see what the issue is. Was the bug an issue if someone had a server port open, such as SSH?

I did the apt-get update; apt-get upgrade. I also did the test, so I'm fine, I think. I disabled my SSH server when I had to deal with the moon-something mofo that got into the router; one of my old threads here.

With this bug, could someone in a remote location access my user's BASH and open a firefox window with a particular weblink?

It's always been a worry of mine that the terminal could be taken advantage of. I didn't know how, but I often considered that it could happen.

charly78 09-25-2014 10:05 AM

Humm the ftp://ftp.fr.debian.org/debian/pool/...eb6u1_i386.deb is giving me a
Error:
Response: 425 Failed to establish connection.

I did manage to get the file if it becomes important but realized I am 64bit but will try on older servers I have.

Unfortunately I have a feeling the /bin/sh links to korn and some others is not enough and I do not want to be part of the hype of rumors but from what I see I think there will be more detailed fixs soon. this might just be a quick fix the patches being released now.

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

szboardstretcher 09-25-2014 10:15 AM

Quote:

Originally Posted by Cyberman (Post 5244038)
This bug only really matters if a person is running a server, right?

What was the deal with this bug? Something was taking over bash programs?

I read this: http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271

I still don't see what the issue is. Was the bug an issue if someone had a server port open, such as SSH?

I did the apt-get update; apt-get upgrade. I also did the test, so I'm fine, I think. I disabled my SSH server when I had to deal with the moon-something mofo that got into the router; one of my old threads here.

With this bug, could someone in a remote location access my user's BASH and open a firefox window with a particular weblink?

It's always been a worry of mine that the terminal could be taken advantage of. I didn't know how, but I often considered that it could happen.

The bug can currently be exploited through externally facing SSH, telnet and WEB, as well as anything that listens to the world at large and sends variable info to bash. Current 0-day's include vuln scanning for Cpanel and SSH on the net.

http://seclists.org/oss-sec/2014/q3/650

There is already a worm being found based on the exploit:

https://gist.github.com/anonymous/929d622f3b36b00c0be1

charly78 09-25-2014 11:20 AM

I am able to patch my debian 7 stuff but my squeeze servers I need a 64bit file and everything is telling me its all up-todate does someone have a deb repository for squeeze to patch bash.

szboardstretcher 09-25-2014 11:26 AM

Certainly. I outlined the process here:

http://www.linuxquestions.org/questi....php?p=5244135

charly78 09-25-2014 11:37 AM

thank you so much that did the trick for debian 6 and 7. Everyone check out that link. and add in the repos you need for your version and or follow what that link says.

Will be watching for updates

But what do I do about Debian 5? Anyone have repositories with a patched bash I can use?

Dutch Master 09-25-2014 02:07 PM

Debian 5 is seriously obsolete, Bash is perhaps not the least but most certainly not the only issue! IMO, you should update those ASAP.

The patches outlined above did the trick for me too, on Jessie a new Bash package is available as well.

charly78 09-25-2014 02:10 PM

ok for debian 5 Lenny I had to compile I have done 3 servers that I did in 2008 and it seems to work here is what I did you may need to sub in the version of bash you are using or check the server for the right directory or files.

#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell

#i am doing everything in the /usr/src dir
cd /usr/src
wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
tar zxvf bash-4.1.tar.gz
cd bash-4.1

# download and apply all patches, including the latest one that patches CVE-2014-6271
#note if you are on say older version like 3.2 of bash I would use
#for i in $(seq -f "%03g" 1 52); do since 3.2 has patches up to 52
for i in $(seq -f "%03g" 0 12); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i
patch -p0 < bash41-$i
done

# compile and install to /usr/local/bin/bash
./configure && make
make install

# point /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash

# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo

#then get rid Delete the old one thats a problem
rm /bin/bash.old

I hope this helps othere folks

charly78 09-25-2014 07:39 PM

The patches that are out fix check this for updates
for the package manager patches
https://security-tracker.debian.org/...e-package/bash

Will probably have to patch again as more comes out. This I can only guess is to keep some of the script kiddies away.

If you run a webserver
I know this is just some guy making a point but he got my server (209.126.*.* notsureprivacy why I did that)
grep bash /var/log/apache2/access.log
209.126.*.* - - [24/Sep/2014:16:58:12 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 216.75.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
209.126.*.* - - [24/Sep/2014:18:49:15 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 209.126.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

grep "\(?\s*_*\s*\)?\s*{|cgi" /var/log/apache2/access.log

grep /bin /var/log/apache2/access.log
89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
anyone good at filters for fail2ban maybe we can make a filter that helps keep folks at bay

akiuni 09-26-2014 02:42 AM

Hello Charly78

I apologies for the link I gave you, it redirects to a french server and I'm not sure that you can access it from your location.
you should be able to download the patches from aptitude or apt-get but if it doesn't, you can download them directly from the debian repository :

using ftp client : ftp://ftp.debian.org
navigate to /debian/pool/main/b/bash/

localize and download the file you need : bash_4.1-3+deb6u2_amd64.deb should suite for you.

bests
Julien


All times are GMT -5. The time now is 01:27 AM.