LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-26-2014, 08:31 AM   #46
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61

Quote:
Originally Posted by Toofle View Post
I'm on debian: SID atm. And when i try the command:

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If your system is compromised you should be able to see "vulnerable" and "this is a test".
However. I can only see the part where it echo's "this is a test".

If the bash shell is patched it should give this error.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

But it doesn't!

I have updated bash to latest version. Anyone have a clue?
Are you lost, my friend?
 
Old 09-26-2014, 08:31 AM   #47
Toofle
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Rep: Reputation: Disabled
Yes
 
Old 09-26-2014, 08:33 AM   #48
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61
Quote:
Originally Posted by Toofle View Post
Yes
http://www.linuxquestions.org/questi...k-4175519998/?
 
Old 09-26-2014, 08:35 AM   #49
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61
Hi all, I just want to clarify, only bash is affected, right? and not ksh, tcsh and zsh?
 
Old 09-26-2014, 08:36 AM   #50
Toofle
LQ Newbie
 
Registered: Mar 2014
Posts: 7

Rep: Reputation: Disabled
Quote:
Originally Posted by suicidaleggroll View Post
That's what it's supposed to do. A broken system would print
Code:
vulnerable
this is a test
That
Code:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
is it catching the vulnerability.
What if it only prints
Code:
this is a test
I updated and upgraded. And dist-upgraded. But none of these methods seem to help me. Any clues ?

Btw: I'm using debian: Sid
 
Old 09-26-2014, 09:19 AM   #51
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
the fixes i tried (.1 and .2 ver of latest bash on CentOS 6final)
both did not behave like this
Code:
The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:

 $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test
all i got back was/is "this is a test"

so, it looks like what was compiled and released was not what they used when they posted at https://securityblog.redhat.com/2014...ection-attack/
 
Old 09-26-2014, 09:22 AM   #52
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,508

Rep: Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

Quote:
Originally Posted by BartMan__X View Post
Code:
root@BWS-NET:~# env X='() { :;}; echo' /bin/cat /etc/passwd; echo 'Welcome to he Simple ShellShock Tester By Svieg';echo 'Your infos are at risk';
That's not a vulnerability, it's really the same as just
Code:
/bin/cat /etc/passwd
echo 'Welcome to he Simple ShellShock Tester By Svieg'
echo 'Your infos are at risk'
Obviously /bin/cat /etc/passwd should only work as root.

Last edited by unSpawn; 09-27-2014 at 10:53 AM. Reason: //Pre-merge subject linking
 
Old 09-26-2014, 09:55 AM   #53
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
The only time I saw that is when I was running on a system where "bash" wasn't really bash, it was a symlink to busybox or sh or something else.

edit: I just installed x.2 of the CentOS bash fix, now I just get "this is a test" on the first one, and
Code:
date
Thu Sep 25 15:22:19 MDT 2014
For the second.

I was under the impression that if you received a date on the second test it was still vulnerable, so is this not yet fixed? I understand the first test fully, but I don't really "get" the second test, so I can't say what the proper behavior should be.

Last edited by suicidaleggroll; 09-26-2014 at 09:59 AM.
 
Old 09-26-2014, 11:25 AM   #54
corbis_demon
Member
 
Registered: Jun 2004
Location: India
Distribution: CLFS
Posts: 515

Rep: Reputation: 36
CVE-2014-7169, the additional vulnerability has been fixed. You can find the patch here. This is the result of a test exploit I ran on a patched and recompiled version of bash:
Code:
user@host:~$ env X='() { (a)=>\' bash -c "file echo vulnerable; cat file"

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
echo: ERROR: cannot open `echo' (No such file or directory)
vulnerable: ERROR: cannot open `vulnerable' (No such file or directory)
cat: file: No such file or directory
 
Old 09-26-2014, 11:50 AM   #55
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
So my CentOS and Debian system seem good now:
Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory
However I'm not seeing the patch to fix the second problem on the bash software page:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/

025 only fixes the first vulnerability.
 
Old 09-26-2014, 11:54 AM   #56
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by suicidaleggroll View Post
So my CentOS and Debian system seem good now:
Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory
However I'm not seeing the patch to fix the second problem on the bash software page:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/

025 only fixes the first vulnerability.
as example, release 15.el6_5.2 for bash 4.1.2 fixes both issues from what i see.

this page http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ doesnt seem to list the files they used on 25Sep2014. i suspect if the build date is not 25Sep2014 or later than you dont have the latest fixed version. i guess you are looking for -026

Last edited by Linux_Kidd; 09-26-2014 at 11:58 AM.
 
Old 09-26-2014, 11:57 AM   #57
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,508

Rep: Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811
Quote:
Originally Posted by suicidaleggroll View Post
So my CentOS and Debian system seem good now:
Code:
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory
You should use bash instead of sh on Debian (derived) systems, otherwise you aren't testing bash.

Quote:
Originally Posted by Postmodern
a better test
Code:
env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
From https://twitter.com/taviso/status/514887394294652929
 
Old 09-26-2014, 12:05 PM   #58
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
Oops, I just copied and pasted, didn't notice it was running sh instead of bash. Either way, on both my CentOS and Debian systems sh is symlinked to bash, so the result is the same.

For the better test:
Code:
$ env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
echo vuln
cat: echo: No such file or directory
 
Old 09-26-2014, 12:44 PM   #59
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
and i am baffled as to why "yum check-update --security" didnt return _5.1 or _5.2 to me.
was the package not flagged with security in the repo?

many of my patching programs do regular security patching (package installs). thus a "yum update --security" would not have worked here.

anyone ??
 
Old 09-26-2014, 12:54 PM   #60
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
I've merged the two main threads on the subject and stickied it.
Please keep the general discussion here, thanks.
 
  


Reply

Tags
bash, vulnerability


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM
LXer: Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems LXer Syndicated Linux News 0 09-25-2014 04:41 AM
[SOLVED] CVE-2014-0224 vulnerability joraymasalvan Linux - Newbie 3 06-18-2014 08:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration