LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 09-26-2014, 04:14 AM   #16
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,510

Rep: Reputation: 394Reputation: 394Reputation: 394Reputation: 394

Quote:
Originally Posted by charly78 View Post
If you run a webserver
I know this is just some guy making a point but he got my server (209.126.*.* notsureprivacy why I did that)
grep bash /var/log/apache2/access.log
209.126.*.* - - [24/Sep/2014:16:58:12 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 216.75.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
209.126.*.* - - [24/Sep/2014:18:49:15 -0400] "GET / HTTP/1.0" 200 307 "() { :; }; ping -c 11 209.126.*.*" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

grep "\(?\s*_*\s*\)?\s*{|cgi" /var/log/apache2/access.log

grep /bin /var/log/apache2/access.log
89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
anyone good at filters for fail2ban maybe we can make a filter that helps keep folks at bay
You're giving 200 responses to those scans.
My (updated) servers are returning 403 to them.
 
Old 09-26-2014, 09:50 AM   #17
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Rep: Reputation: 50
check & patch for "Shellshock"

We're using servers & self-made thin clients with Debian Squeeze.

Where can I download just a patch instead of apt-get upgrade?

Last edited by cccc; 09-26-2014 at 04:41 PM.
 
Old 09-26-2014, 12:09 PM   #18
Dutch Master
Senior Member
 
Registered: Dec 2005
Posts: 1,686

Rep: Reputation: 124Reputation: 124
You aren't really looking, aren't you?

OK, this once as it's important: http://www.linuxquestions.org/questi...sh-4175519968/
 
Old 09-26-2014, 02:41 PM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
// Thread merged if necessary, renamed to include CVE numbers and popular name and stickied. Please keep the distribution-specific discussion here, else see https://www.linuxquestions.org/quest...-a-4175519975/. Please let me know if you spot similar topic threads to merge.
 
Old 09-26-2014, 04:40 PM   #20
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Rep: Reputation: 50
Quote:
Originally Posted by akiuni View Post
Hello Charly78

I apologies for the link I gave you, it redirects to a french server and I'm not sure that you can access it from your location.
you should be able to download the patches from aptitude or apt-get but if it doesn't, you can download them directly from the debian repository :

using ftp client : ftp://ftp.debian.org
navigate to /debian/pool/main/b/bash/

localize and download the file you need : bash_4.1-3+deb6u2_amd64.deb should suite for you.

bests
Julien
I've tried this patch on my Squeeze, but still vulnerable.
 
Old 09-27-2014, 12:12 AM   #21
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 60

Original Poster
Rep: Reputation: Disabled
I have patched all the versions and it is like this you have two ways the binary package pre made from your debian or type of debian distro or compile it from source.

I first test it in a console

Code:
env x='() { :;}; echo vulnerable' bash -c "echo testing this"
It should look like this if its patched

Code:
# env x='() { :;}; echo vulnerable' bash -c "echo testing this"
bash: warning: x: ignoring function definition attempt                                                                                                                                                   
bash: error importing function definition for `x'                                                                                                                                                        
testing this
Then I do the usual using super user account (root) or sudo depending on your version or type of Debian.
Code:
apt-get update ; apt-get install bash
if it updates you are covered for some of the major parts of the CVE-2014 numbers but will have to wait for the dust to settle before the latest patches like the 2 most recent patches that have been entered into today. You are done you can call it a day and you will pass and avoid most the kiddies on the net testing for openings for some fun.

if it tells you you are already uptodate then you need to find out what you are running

Code:
dpkg-query -l|grep bash
# dpkg-query -l|grep bash                                                                                                                                                                
ii  bash                                                      4.3-9.1                            amd64        GNU Bourne Again SHell
As you can see I have 4.3. Next you find a mirror that is not busy (main ones where impossible to get on today, busy) http://www.gnu.org/server/mirror.html
and look for where they have the bash files

I used one from germany. You will find patches going as far back from today fixing the issues as far back as version 2

So just cd to your source directory (You can use a different dir if you want) then wget the version or the latest if you want (check for dependencies. Easiest is to get the code you already have running example if you have 3.2 go get version 3.2.
then you untar gzip it and change to that directory and go get the patches right into the directory and patch it!

Code:
cd /usr/src
wget ftp://ftp.hawo.stw.uni-erlangen.de/gnu/bash/bash-4.2.tar.gz
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for the above example if you have a different version get that version

here is example of me changing to the directory and patching it.

Code:
cd /usr/src/bash-4.3
for i in $(seq -f "%03g" 1 26); do
wget -nv ftp://ftp.hawo.stw.uni-erlangen.de/gnu/bash/bash-4.3-patches/bash43-$i
patch -p0 < bash43-$i
done
You will note I have 4.3 and you might change to a different directory with your version.
seq -f "%03g" 1 26
above you need to see how many patches are in there. at the time of writing this there are 26 patches and it starts at 1. if your using 3.2 there is 53 patches so you would change these number in the example above to
seq -f "%03g" 1 53
and of course the two parts where it is
bash43-$i
to
bash32-$i

and press enter

when you are done you should have a mess of patching , maybe even warnings like illegal names.

finally you need to compile and install this with this command.

Code:
./configure && make && make install
then you are left with a whole bunch of stuff for a bit on your screen. You may need to install some files if it seems to fail. when its done you can test this again first move the old to a old file and the new link

Code:
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash
then test the old and the new
Code:
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo
i would rm (remove the old

Code:
rm /bin/bash.old
Then you good til the next patch comes out although you would need in my case to increase the 26 to a 27 or what ever if they added more patches. as of writing this you are uptodate of all the known issues ( well , if they find more then ...)

I hope that helps i did this in this order so many times yesterday!

Also its not perfect but theres a fail2ban filter now out that might help a little more if your watching your apache2 logs like some of us. just look through some of my posts or go to the fail2ban site I put it up in there

Last edited by charly78; 09-27-2014 at 12:17 AM. Reason: typos
 
Old 10-02-2014, 09:31 AM   #22
gmelchio
LQ Newbie
 
Registered: Oct 2014
Location: Italy
Distribution: debian
Posts: 3

Rep: Reputation: Disabled
Quote:
Originally Posted by charly78 View Post
ok for debian 5 Lenny I had to compile I have done 3 servers that I did in 2008 and it seems to work here is what I did you may need to sub in the version of bash you are using or check the server for the right directory or files.

#first find out the version you have so you know what to get for the patches and source files
dpkg-query -l|grep bash
ii bash 4.1-3 The GNU Bourne Again SHell

#i am doing everything in the /usr/src dir
cd /usr/src
wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
tar zxvf bash-4.1.tar.gz
cd bash-4.1

# download and apply all patches, including the latest one that patches CVE-2014-6271
#note if you are on say older version like 3.2 of bash I would use
#for i in $(seq -f "%03g" 1 52); do since 3.2 has patches up to 52
for i in $(seq -f "%03g" 0 12); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-$i
patch -p0 < bash41-$i
done

# compile and install to /usr/local/bin/bash
./configure && make
make install

# point /bin/bash to the new binary
mv /bin/bash /bin/bash.old
ln -s /usr/local/bin/bash /bin/bash

# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo

#then get rid Delete the old one thats a problem
rm /bin/bash.old

I hope this helps othere folks
Based on my experience
ln -s /usr/local/bin/bash /bin/bash doesn't work. After a reboot I got "bash no such file" and was impossible logon to the server in single-user too.
Perhaphs better cp /usr/local/bin/bash /bin/bash
 
  


Reply

Tags
patch, security, shell shock, shellshock


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Apache2 Fail2ban Filter charly78 Linux - Security 12 10-25-2014 12:36 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - rated 10 ! syg00 Linux - Security 81 10-15-2014 03:11 PM
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 02:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 02:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 07:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration