Bash vulnerability

[oldrocker99]

This test will show whether bash is vulnerable on your installation.

Code:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If it is vulnerable, it will return

Code:

vulnerable
hello

I tried to update my 12.04 installation from the Ubuntu repositories after the test showed bash to be vulnerable.

Trying to upgrade from the Ubuntu repositories left my bash vulnerable.

I downloaded bash4.3 source from Launchpad and compiled and installed it.

I still had a vulnerability.

I pulled this code from debian.org and saved it as build-bash.sh and, when I ran it, I was able to run the test and get

Code:

hello

Here's the link for this script:
https://gist.github.com/mattwhite/86de50d30134129e44ef

Code:

# inspired by http://askubuntu.com/a/528171
 
# prerequisites
sudo apt-get install bison
 
# get bash 3.2 source
mkdir src && cd src
wget http://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz
tar zxvf bash-3.2.tar.gz
cd bash-3.2
 
# download and apply all patches, including the latest one that patches CVE-2014-6271
for i in $(seq -f "%03g" 1 52); do
wget -nv http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-$i
patch -p0 < bash32-$i
done
 
# compile and install to /usr/local/bin/bash
./configure && make
sudo make install
 
# point /bin/bash to the new binary
sudo mv /bin/bash /bin/bash.old
sudo ln -s /usr/local/bin/bash /bin/bash
 
# test by comparing the output of the following
env x='() { :;}; echo vulnerable' /bin/bash.old -c echo
env x='() { :;}; echo vulnerable' bash -c echo

I hope this helps people.

[mastablasta]

When will the patch be in repos? Also from reading some news it seems that even patch is not complete. There are also still modems and routers that need patching. So this will not help much unless those are patched as well.

Bloddy hell - my guest server needs patching as well... Going to write to the host I want to see patch over there...

[ibjsb4]

I just updated and problem solved.

[kurt18947]

When will the patch be in repos? Also from reading some news it seems that even patch is not complete. There are also still modems and routers that need patching. So this will not help much unless those are patched as well.

Bloddy hell - my guest server needs patching as well... Going to write to the host I want to see patch over there...

The modems and routers issue seems like it may be greater problem than servers & P.C.s. How many orphaned/unsupported network devices are vulnerable to this? I'm guessing quite a few and no patch will be forthcoming. I wonder if someone will come up with a way to test for this vulnerability without needing to get to a shell prompt. Perhaps something like

Code:

(run this code check)192.168.1.1.

for example.

[jbysmith]

I also read that the patch doesn't fix everything, there's a new bulletin for the "partial patch." CVE-2014-7169

[kira-yamato-2008]

They should have this locked down soon enough, what we really need to worry about are commercial application and other servers that haven't, or won't be updated in a timely fashion.

[ajgreeny]

There was a bash update yesterday in 12.04 and running the command in the first post shows that the problem has been sorted as far as I can see, as I get the output:-

Code:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

Am I correct; can I not worry any more?

[mastablasta]

but the OP ran update 2 hours ago if i udnerstand this correctly.

[fprietog]

As far as I read from Internet the vulnerability is only partially solved.

First vulnerability CVE 2014-6271, solved:

Code:

env x='() { :;}; echo vulnerable' bash -c "echo Fallo 1 parcheado"

bash: aviso: x: ignoring function definition attempt
bash: error al importar la definición de la función para `x'
Fallo 1 parcheado

Second vulnerability CVE 2014-7169, UNSOLVED:

Code:

env X='() { (a)=>\' sh -c "echo vulnerable"; bash -c "echo Fallo 2 sin parchear"

vulnerable
Fallo 2 sin parchear

I think the post should be marked as unsolved...

[Quarkrad]

As a 'lay person' I'm a little confused re this thread (solved or unsolved) - but I appreciate this is new and early days. I get:

dad@dadubuntu:~$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

I have both 12.04 and 14.04 and quite a few friends/family machines I look after. Are we/you saying this is not solved at this point?