LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-30-2014, 10:55 AM   #76
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62

so now -026 is not a full fix either ??
https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6278

but RH says "well, we think -026 is good enough"
https://access.redhat.com/security/cve/CVE-2014-6278


who exactly do they have coding this stuff? seems be to a break-down in quality coders here.

Last edited by Linux_Kidd; 09-30-2014 at 11:23 AM.
 
Old 09-30-2014, 01:29 PM   #77
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
a wrapper using perl. some rev's of OS dont have the patches available, so perhaps you wrap it, etc.


Code:
[admin@firefry ~]$ cat bashfilter.pl
#!/bin/env perl

# bashfilter.pl 
#
# This removes all environment variables beginning with "() {", which effectively disables bash's 'export -f' feature.
# As a side effect of disabling function exporting, attempts to exploit CVE-2014-6271 are blocked.
#
# To install, rename bash to bash.unsafe and link or move this script into place in its place.
# Be sure to have an account with an alternate shell available, and test before exiting your current shell.

use strict;
use warnings;
use diagnostics;

use Sys::Syslog;

my $UNSAFE_BASH;

$UNSAFE_BASH=$0 . ".unsafe" unless $UNSAFE_BASH;

foreach my $var (keys %ENV) {
        my $value=$ENV{$var};
        if ($value =~ /^\(\) {/) {
                delete $ENV{$var};
                openlog('bashfilter','ndelay,nofatal,perror','local0');
                syslog('warning',
                  "Blocked potential CVE-2014-6271 exploit attempt: var '%s' with value '%s' removed from environment.", $var, $value);
                closelog();
        }
}

exec { $UNSAFE_BASH } $0, @ARGV or die("Could not exec unsafe bash: $!");

[admin@firefry ~]$ ln -sf ./bashfilter.pl bash
[admin@firefry ~]$ ln -sf $(which bash) bash.unsafe
[admin@firefry ~]$ export BADVAR='() { x; } ; echo Gotcha!'
[admin@firefry ~]$ bash -c true
Gotcha!
[admin@firefry ~]$ ./bash -c true
[admin@firefry ~]$ sudo tail -n 1 /var/log/messages
Sep 26 10:32:31 firefry bashfilter: Blocked potential CVE-2014-6271 exploit attempt: var 'BADVAR' with value '() { x; } ; echo Gotcha!' removed from environment.
[admin@firefry ~]$

Last edited by Linux_Kidd; 09-30-2014 at 01:40 PM.
 
Old 09-30-2014, 02:07 PM   #78
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
i am not an SME with any of the shells, but what does invoking bash with --posix option get us in way of mitigating the issue at hand, if anything?
 
Old 09-30-2014, 02:15 PM   #79
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
Quote:
Originally Posted by taikedz View Post
I second this - but I still don't understand why parsing to allow function definitions in env variables is suported at all - it just screams of injection!

Ars seems to be on the right track, it'd probably just be safer to turn off the parsing (if such a bash variant already exists please tell me where!) http://arstechnica.com/security/2014...-whack-a-mole/
Let me know if you find anything, I'd jump at the change to swap out bash on my systems with one that does not parse environment variables for functions. Maybe I'll take a peak at the source code and see how difficult it would be to turn it off...I can't imagine it would be that hard.
 
Old 10-08-2014, 06:49 AM   #80
rwilcher
Member
 
Registered: Mar 2006
Location: Maple Heights OHIO
Distribution: Centos 6
Posts: 31

Rep: Reputation: 0
Wink And now for something completely different

. Somebody might find this useful. I did, running old stuff like I do. It's a source patch.
out of style I know. But I like to see WTH is going on. Hope this isn't inappropriate . Asbestos
underwear at the ready.

#from the superuser.com website.
#
#Stole this from AskUbuntu, from someone who stole it off of Hacker News.
#Worked on two old servers for me

mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 28); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd ..
cd ..
rm -r src
 
Old 10-15-2014, 12:47 PM   #81
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,594

Rep: Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179
Nice one, rwilcher.

I hesitated to post on a thread with 79 posts already. I built bash with the script, and installed it in two machines. The script on shellshocker.net passes 100% on the patched bash version, but the page also has individual tests, one of which fails.

Exploit 7: CVE-2014-6277
Code:
bash-4.3$ bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
Segmentation fault
vulnerable
bash-4.3$
I'm not supposed to see the word 'vulnerable' :-/.

I'm not in a position to make meaningful comment on this stuff - how valid the tests are, etc.
I will leave that to others.

Last edited by business_kid; 10-15-2014 at 12:49 PM.
 
Old 10-15-2014, 02:11 PM   #82
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Destickified thread.
 
  


Reply

Tags
bash, vulnerability


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM
LXer: Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems LXer Syndicated Linux News 0 09-25-2014 04:41 AM
[SOLVED] CVE-2014-0224 vulnerability joraymasalvan Linux - Newbie 3 06-18-2014 08:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration