LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   BASH Anti shell-shock wrapper. (https://www.linuxquestions.org/questions/slackware-14/bash-anti-shell-shock-wrapper-4175520851/)

GazL 10-02-2014 10:43 AM
BASH Anti shell-shock wrapper.
 
For those of you like me who really don't like the idea of bash parsing environment variables to define functions, I've written a small wrapper that you may like to try. I originally wrote it to work around a problem invoking bash as sh via 'su' but it wasn't that hard to add a bit of code that will remove anything that looks like a function definition from the environment as well.

Disclaimer: I'm not much of a programmer, so provided as-is, use at your own risk and all that. And for gods sake test it thoroughly before you go replacing /bin/sh with it.

This should protect anything that calls /bin/sh such as programs that call popen() or system(), but won't do anything for things that invoke /bin/bash directly.

UPDATE2: Seems I broke the original function of my wrapper when adding the shell-shock protections, so I've removed it from this post as it doesn't give you anything over the one on post #3. The one on post #3 does work however, so if you want to use a wrapper to protect yourself then that's the one to use. Sorry for the confusion.

metaschima 10-02-2014 11:25 AM
It's a cool idea. However, as you said /bin/bash can still be called directly, which is risk that is not fixed by this. I think the better option is to just disable the feature in bash directly.

GazL 10-02-2014 12:07 PM
/bin/bash can be wrapped in a similar manner. The problem with trying to patch bash itself at present is that its a moving target with all the frantic activity going on at present. Seemed much easier to just wrap it while things settle down (especially as I was already using the wrapper to fix the su issue).

I've attached a simplified version of the bash-wrapper that can be used for /bin/bash itself, without all the stuff to do with fixing 'su'.

metaschima 10-02-2014 01:46 PM
Yeah, you might be right, it looks like they just released another patch.

jrifkin 10-06-2014 04:30 PM
We independently developed a bash wrapper that is very similar. The main difference is rather than remove the environment variables, we 'clean' them. Cleaning is done by replacing any occurance of '()' with blanks, replaced characters beyond ASCII 127 with blanks, and setting the LANG and LC_ALL variables to C if they exist.

I've pasted all 81 lines of it below:

Code:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>

#define ORIGINAL_BASH "/bin/bash-broken"

/*  cbash:  Bash wrapper to defeat ShellShock exploit

    Before calling bash, filter all strings '()' from environmental variables. 
    Expoits use these to cloak arbitrary commands to the bash evaluator

*/

int main(int argc, char *argv[], char *envp[])
{
    char *pos, **e;

    /*  If --version option sent, print cbash version and then continue  */
    e = argv;
    while (*e) {
        if (strcmp(*e,"--version")==0) {
                /*  Print version info  */
                printf("-----------------------------------------\n");
                printf("cbash, version 1.1\n");
                printf("Bash wrapper to defeat ShellShock exploit\n");
                printf("Original bash executable: '%s'\n", ORIGINAL_BASH);
                printf("-----------------------------------------\n");
                break;
        }
        *e++;
    }

    /*  Verify that original bash exists and is executable */
    if ( access( ORIGINAL_BASH, F_OK) == -1 ) {
        printf("ERROR:  Original bash file '%s' does not exist\n", ORIGINAL_BASH);
        exit(1);
    }
    if ( access( ORIGINAL_BASH, X_OK) == -1 ) {
        printf("ERROR:  Original bash file '%s' is not executable\n", ORIGINAL_BASH);
        exit(1);
    }


    /*  Clean the environment stored in *envp[]  */
    e = envp;
    while (*e) {

        /*  Overwrite () in environment variable to defeat shellshock hack  */
        pos = strstr(*e, "()");
        if (pos) {
            *pos++ = ' ';
            *pos  = ' ';
        }

        /*  Replace non-ascii characters with blanks  */
        /*  NOTE:  Older compilers (?) require (unsigned char) below  */
        pos = *e;
        while (*pos) {
                if ( (unsigned char) *pos>127) *pos = ' ';
                *pos++;
        }

        /*  Replace values of LANG and LC_ALL with "C"  */
        if (strncmp(*e,"LANG=",5)==0) {
                if (strlen(*e)>5) {
                        (*e)[5] = 'C';
                        (*e)[6] = 0;
                }
        } else if (strncmp(*e, "LC_ALL=", 7)==0) {
                if (strlen(*e)>7) {
                        (*e)[7] = 'C';
                        (*e)[8] = 0;
                }
        }
        *e++;
    }

    /*  Exec old bash with a cleaned envionment  */
    execve(ORIGINAL_BASH, argv, envp);
}

moisespedro 10-06-2014 05:19 PM
Not trying to be rude but it would be better if you posted it with [code] tags or on some paste site.

Like this.


All times are GMT -5. The time now is 10:44 AM.