LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 09-24-2014, 06:35 PM   #1
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Rep: Reputation: Disabled
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - vulnerability in bash


http://arstechnica.com/security/2014...ith-nix-in-it/

I have some older servers running and I have run the
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

So apt-get update and apt-get install bash but its already the newest and it clearly from a # dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell

i am running a version that is vulnerable.

What I am looking for is a deb package or a repository that has the bash 4.1-3+deb6u1 version of lts of squeeze bash that is fixed

or how else am I do update this maybe I can just use a newer version and it will not effect anything else things are running good on these servers no need to change alot.

thanks
 
Old 09-24-2014, 07:46 PM   #2
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,721

Rep: Reputation: 1704Reputation: 1704Reputation: 1704Reputation: 1704Reputation: 1704Reputation: 1704Reputation: 1704Reputation: 1704Reputation: 1704Reputation: 1704Reputation: 1704
Hi,

it seems that the fix has only been released for wheezy so far. See: https://www.debian.org/security/2014/dsa-3032
I squeeze fix should be along soon. In the mean time as an extra precaution you can make /bin/sh point to something other than /bin/bash.

Evo2.
 
Old 09-24-2014, 07:56 PM   #3
Dutch Master
Senior Member
 
Registered: Dec 2005
Posts: 1,686

Rep: Reputation: 124Reputation: 124
According to the RedHat release the vulnerability is very fresh and only patched versions of Bash are safe:
https://securityblog.redhat.com/2014...ection-attack/

I'm not sure if there is a safe Debian version ready yet. It's not in Squeeze nor Jessie, I've updated both earlier today. (but admittedly I may have missed any Bash updates in Jessie as that machine had 600+MB of updates to process)
 
Old 09-24-2014, 09:37 PM   #4
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
humm Mine seems to point to dash

in the /bin directory
root root 4 Jan 10 2014 sh -> dash

~$ ls -lha /bin |grep sh
-rwxr-xr-x 1 root root 994K Apr 16 17:23 bash
-rwxr-xr-x 1 root root 115K Jan 10 2014 dash
lrwxrwxrwx 1 root root 4 Apr 16 17:23 rbash -> bash
lrwxrwxrwx 1 root root 4 Jan 10 2014 sh -> dash
lrwxrwxrwx 1 root root 4 Mar 1 2012 sh.distrib -> dash


~$ dpkg-query -l|grep bash
ii bash 4.3-7 amd64 GNU Bourne Again SHell

~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
~$

but shows i am still vulnerable

Last edited by charly78; 09-24-2014 at 09:46 PM.
 
Old 09-25-2014, 04:02 AM   #5
akiuni
Member
 
Registered: Sep 2012
Location: France
Distribution: debian
Posts: 56

Rep: Reputation: Disabled
Hello

you will find the package here : ftp://ftp.fr.debian.org/debian/pool/...eb6u1_i386.deb

bests
Julien
 
Old 09-25-2014, 06:18 AM   #6
Cyberman
Member
 
Registered: Aug 2005
Distribution: Debian Stable
Posts: 218

Rep: Reputation: 17
This bug only really matters if a person is running a server, right?

What was the deal with this bug? Something was taking over bash programs?

I read this: http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271

I still don't see what the issue is. Was the bug an issue if someone had a server port open, such as SSH?

I did the apt-get update; apt-get upgrade. I also did the test, so I'm fine, I think. I disabled my SSH server when I had to deal with the moon-something mofo that got into the router; one of my old threads here.

With this bug, could someone in a remote location access my user's BASH and open a firefox window with a particular weblink?

It's always been a worry of mine that the terminal could be taken advantage of. I didn't know how, but I often considered that it could happen.

Last edited by Cyberman; 09-25-2014 at 06:25 AM.
 
Old 09-25-2014, 10:05 AM   #7
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
Humm the ftp://ftp.fr.debian.org/debian/pool/...eb6u1_i386.deb is giving me a
Error:
Response: 425 Failed to establish connection.

I did manage to get the file if it becomes important but realized I am 64bit but will try on older servers I have.

Unfortunately I have a feeling the /bin/sh links to korn and some others is not enough and I do not want to be part of the hype of rumors but from what I see I think there will be more detailed fixs soon. this might just be a quick fix the patches being released now.

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
 
Old 09-25-2014, 10:15 AM   #8
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278

Rep: Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693
Quote:
Originally Posted by Cyberman View Post
This bug only really matters if a person is running a server, right?

What was the deal with this bug? Something was taking over bash programs?

I read this: http://web.nvd.nist.gov/view/vuln/de...=CVE-2014-6271

I still don't see what the issue is. Was the bug an issue if someone had a server port open, such as SSH?

I did the apt-get update; apt-get upgrade. I also did the test, so I'm fine, I think. I disabled my SSH server when I had to deal with the moon-something mofo that got into the router; one of my old threads here.

With this bug, could someone in a remote location access my user's BASH and open a firefox window with a particular weblink?

It's always been a worry of mine that the terminal could be taken advantage of. I didn't know how, but I often considered that it could happen.
The bug can currently be exploited through externally facing SSH, telnet and WEB, as well as anything that listens to the world at large and sends variable info to bash. Current 0-day's include vuln scanning for Cpanel and SSH on the net.

http://seclists.org/oss-sec/2014/q3/650

There is already a worm being found based on the exploit:

https://gist.github.com/anonymous/929d622f3b36b00c0be1

Last edited by szboardstretcher; 09-25-2014 at 10:16 AM.
 
Old 09-25-2014, 11:20 AM   #9
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
I am able to patch my debian 7 stuff but my squeeze servers I need a 64bit file and everything is telling me its all up-todate does someone have a deb repository for squeeze to patch bash.
 
Old 09-25-2014, 11:26 AM   #10
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278

Rep: Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693Reputation: 1693
Certainly. I outlined the process here:

http://www.linuxquestions.org/questi....php?p=5244135
 
1 members found this post helpful.
Old 09-25-2014, 11:37 AM   #11
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
thank you so much that did the trick for debian 6 and 7. Everyone check out that link. and add in the repos you need for your version and or follow what that link says.

Will be watching for updates

But what do I do about Debian 5? Anyone have repositories with a patched bash I can use?

Last edited by charly78; 09-25-2014 at 11:42 AM.
 
Old 09-25-2014, 02:07 PM   #12
Dutch Master
Senior Member
 
Registered: Dec 2005
Posts: 1,686

Rep: Reputation: 124Reputation: 124
Debian 5 is seriously obsolete, Bash is perhaps not the least but most certainly not the only issue! IMO, you should update those ASAP.

The patches outlined above did the trick for me too, on Jessie a new Bash package is available as well.
 
Old 09-25-2014, 02:10 PM   #13
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
ok for debian 5 Lenny I had to compile I have done 3 servers that I did in 2008 and it seems to work here is what I did you may need to sub in the version of bash you are using or check the server for the right directory or files.

#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell

#i am doing everything in the /usr/src dir
cd /usr/src
wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
tar zxvf bash-4.1.tar.gz
cd bash-4.1

# download and apply all patches, including the latest one that patches CVE-2014-6271
#note if you are on say older version like 3.2 of bash I would use
#for i in $(seq -f "%03g" 1 52); do since 3.2 has patches up to 52
for i in $(seq -f "%03g" 0 12); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i
patch -p0 < bash41-$i
done

# compile and install to /usr/local/bin/bash
./configure && make
make install

# point /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash

# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo

#then get rid Delete the old one thats a problem
rm /bin/bash.old

I hope this helps othere folks
 
Old 09-25-2014, 07:39 PM   #14
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
The patches that are out fix check this for updates
for the package manager patches
https://security-tracker.debian.org/...e-package/bash

Will probably have to patch again as more comes out. This I can only guess is to keep some of the script kiddies away.

If you run a webserver
I know this is just some guy making a point but he got my server (209.126.*.* notsureprivacy why I did that)
grep bash /var/log/apache2/access.log
209.126.*.* - - [24/Sep/2014:16:58:12 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 216.75.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
209.126.*.* - - [24/Sep/2014:18:49:15 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 209.126.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

grep "\(?\s*_*\s*\)?\s*{|cgi" /var/log/apache2/access.log

grep /bin /var/log/apache2/access.log
89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
anyone good at filters for fail2ban maybe we can make a filter that helps keep folks at bay

Last edited by charly78; 09-26-2014 at 11:19 AM.
 
Old 09-26-2014, 02:42 AM   #15
akiuni
Member
 
Registered: Sep 2012
Location: France
Distribution: debian
Posts: 56

Rep: Reputation: Disabled
Hello Charly78

I apologies for the link I gave you, it redirects to a french server and I'm not sure that you can access it from your location.
you should be able to download the patches from aptitude or apt-get but if it doesn't, you can download them directly from the debian repository :

using ftp client : ftp://ftp.debian.org
navigate to /debian/pool/main/b/bash/

localize and download the file you need : bash_4.1-3+deb6u2_amd64.deb should suite for you.

bests
Julien
 
  


Reply

Tags
patch, security, shell shock, shellshock


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Apache2 Fail2ban Filter charly78 Linux - Security 12 10-25-2014 11:36 AM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - rated 10 ! syg00 Linux - Security 81 10-15-2014 02:11 PM
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 06:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration