Page 1 of 7 123 ... LastLast
Results 1 to 10 of 70

Thread: Bash vulnerability

  1. #1
    Join Date
    Apr 2008
    Location
    Norwich CT
    Beans
    2,661
    Distro
    Ubuntu Mate

    Bash vulnerability

    This test will show whether bash is vulnerable on your installation.

    Code:
    env x='() { :;}; echo vulnerable' bash -c 'echo hello'
    If it is vulnerable, it will return

    Code:
    vulnerable
    hello
    I tried to update my 12.04 installation from the Ubuntu repositories after the test showed bash to be vulnerable.

    Trying to upgrade from the Ubuntu repositories left my bash vulnerable.

    I downloaded bash4.3 source from Launchpad and compiled and installed it.

    I still had a vulnerability.

    I pulled this code from debian.org and saved it as build-bash.sh and, when I ran it, I was able to run the test and get

    Code:
    hello
    Here's the link for this script:
    https://gist.github.com/mattwhite/86de50d30134129e44ef

    Code:
    # inspired by http://askubuntu.com/a/528171
     
    # prerequisites
    sudo apt-get install bison
     
    # get bash 3.2 source
    mkdir src && cd src
    wget http://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz
    tar zxvf bash-3.2.tar.gz
    cd bash-3.2
     
    # download and apply all patches, including the latest one that patches CVE-2014-6271
    for i in $(seq -f "%03g" 1 52); do
    wget -nv http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i
    patch -p0 < bash32-$i
    done
     
    # compile and install to /usr/local/bin/bash
    ./configure && make
    sudo make install
     
    # point /bin/bash to the new binary
    sudo mv /bin/bash /bin/bash.old
    sudo ln -s /usr/local/bin/bash /bin/bash
     
    # test by comparing the output of the following
    env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
    env x='() { :;}; echo vulnerable' bash -c echo
    I hope this helps people.
    Last edited by oldrocker99; September 25th, 2014 at 03:26 PM.

    I drink my Ubuntu black, no sugar.
    Ubuntu user 28819

  2. #2
    Join Date
    Nov 2009
    Beans
    Hidden!
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: [SOLVED]Bash vulnerability

    When will the patch be in repos? Also from reading some news it seems that even patch is not complete. There are also still modems and routers that need patching. So this will not help much unless those are patched as well.

    Bloddy hell - my guest server needs patching as well... Going to write to the host I want to see patch over there...
    Read the easy to understand, lots of pics Ubuntu manual.
    Do i need antivirus/firewall in linux?
    Full disk backup (newer kernel -> suitable for newer PC): Clonezilla
    User friendly full disk backup: Rescuezilla

  3. #3
    Join Date
    Jan 2007
    Location
    Columbus, Ohio
    Beans
    193
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: [SOLVED]Bash vulnerability

    I also read that the patch doesn't fix everything, there's a new bulletin for the "partial patch." CVE-2014-7169

  4. #4
    ibjsb4 is offline Ubuntu addict and loving it
    Join Date
    Sep 2012
    Beans
    4,993

    Re: [SOLVED]Bash vulnerability

    I just updated and problem solved.

  5. #5
    Join Date
    Jul 2014
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: [SOLVED]Bash vulnerability

    They should have this locked down soon enough, what we really need to worry about are commercial application and other servers that haven't, or won't be updated in a timely fashion.

  6. #6
    Join Date
    Sep 2011
    Location
    Pennsylvania, U.S.A.
    Beans
    2,955
    Distro
    Ubuntu Development Release

    Re: [SOLVED]Bash vulnerability

    Quote Originally Posted by mastablasta View Post
    When will the patch be in repos? Also from reading some news it seems that even patch is not complete. There are also still modems and routers that need patching. So this will not help much unless those are patched as well.

    Bloddy hell - my guest server needs patching as well... Going to write to the host I want to see patch over there...
    The modems and routers issue seems like it may be greater problem than servers & P.C.s. How many orphaned/unsupported network devices are vulnerable to this? I'm guessing quite a few and no patch will be forthcoming. I wonder if someone will come up with a way to test for this vulnerability without needing to get to a shell prompt. Perhaps something like
    Code:
    (run this code check)192.168.1.1.
    for example.

  7. #7
    Join Date
    Jul 2005
    Location
    I think I'm here! Maybe?
    Beans
    Hidden!
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: [SOLVED]Bash vulnerability

    There was a bash update yesterday in 12.04 and running the command in the first post shows that the problem has been sorted as far as I can see, as I get the output:-
    Code:
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    hello
    Am I correct; can I not worry any more?

  8. #8
    Join Date
    Nov 2009
    Beans
    Hidden!
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: [SOLVED]Bash vulnerability

    but the OP ran update 2 hours ago if i udnerstand this correctly.
    Read the easy to understand, lots of pics Ubuntu manual.
    Do i need antivirus/firewall in linux?
    Full disk backup (newer kernel -> suitable for newer PC): Clonezilla
    User friendly full disk backup: Rescuezilla

  9. #9
    Join Date
    Jun 2014
    Location
    Madrid (Spain)
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: [SOLVED]Bash vulnerability

    As far as I read from Internet the vulnerability is only partially solved.

    First vulnerability CVE 2014-6271, solved:
    Code:
    env x='() { :;}; echo vulnerable' bash -c "echo Fallo 1 parcheado"
    
    bash: aviso: x: ignoring function definition attempt
    bash: error al importar la definición de la función para `x'
    Fallo 1 parcheado

    Second vulnerability CVE 2014-7169, UNSOLVED:
    Code:
    env X='() { (a)=>\' sh -c "echo vulnerable"; bash -c "echo Fallo 2 sin parchear"
    
    vulnerable
    Fallo 2 sin parchear



    I think the post should be marked as unsolved...
    Last edited by fprietog; September 25th, 2014 at 04:50 PM.

  10. #10
    Join Date
    Oct 2008
    Location
    UK
    Beans
    1,584
    Distro
    Ubuntu Mate 20.04 Focal Fossa

    Re: [SOLVED]Bash vulnerability

    As a 'lay person' I'm a little confused re this thread (solved or unsolved) - but I appreciate this is new and early days. I get:

    dad@dadubuntu:~$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    hello


    I have both 12.04 and 14.04 and quite a few friends/family machines I look after. Are we/you saying this is not solved at this point?

Page 1 of 7 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •