Bash Vulnerability

[jlpoole]

I haven't seen any posting of this in the forums and so offer this up:

http://arstechnica.com/security/2014/09 ... nix-in-it/

[666threesixes666]

http://seclists.org/oss-sec/2014/q3/649

yup, disable ssh or update....

<shamus397> try this: LC_TIME='() { :;}; echo vulnerable' ssh <your systems hostname here>

[jlpoole]

I had several servers that were vulnerable. Updating to 4.2_p48 should make you safe from this one. 4.2_p45 is vulnerable.

# eix app-shells/bash
app-shells/bash
Available versions:
(3.1) 3.1_p17 3.1_p18
(3.2) 3.2_p51 3.2_p52
(4.0) 4.0_p38 4.0_p39
(4.1) 4.1_p11 4.1_p12
(0) 4.2_p45 4.2_p48 **4.3_p25
{afs bashlogger examples mem-scramble +net nls plugins +readline vanilla}
Installed versions: 4.2_p45(22:02:45 07/24/13)(net nls readline -afs -bashlogger -examples -mem-scramble -plugins -vanilla)
Homepage: http://tiswww.case.edu/php/chet/bash/bashtop.html
Description: The standard GNU Bourne again shell

* app-shells/bash-completion

[Kilteroff]

I'm sorry, how do you do this? My Emerge&Portage skills are still in devel -_-

[jlpoole]

I'm sorry, how do you do this? My Emerge&Portage skills are still in devel -_-

Code: Select all

emerge --sync
emerge app-shells/bash

[The Doctor]

That should be

Code: Select all

emerge -1 app-shells/bash

Note the -1. Cluttering the world file is a bad idea.

[Kilteroff]

That was the first thing I did, still app-shells/bash-4.2_p45 though :/

[eccerr0r]

http://forums.gentoo.org/viewtopic-t-10 ... ight-.html

You can also just do a regular world update.

Use --oneshot to upgrade packages if you didn't explicitly emerge them... This will help out portage package messes down the road - though in this case, bash is unlikely to get orphaned...

[Kilteroff]

Well I followed the instructions and ran emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48"

Now I have app-shells/bash-4.3_p24-r1

Scurry stuff. Thanks for the help

[wuzzerd]

Awesome: Gentoo has already handled this problem. Free beer for the devs!!

[sk3l]

http://seclists.org/oss-sec/2014/q3/649

yup, disable ssh or update....

<shamus397> try this: LC_TIME='() { :;}; echo vulnerable' ssh <your systems hostname here>

Seems like patching should take priority, but is disabling sshd really necessary? FWICT only sshd configs with ForceCommand enabled are vulnerable? If you're not running GIT or SVN or the like your SSH may be OK. Please correct me if I'm mistaken.

[tld]

Awesome: Gentoo has already handled this problem. Free beer for the devs!!

It also appears that the version in Gentoo seems to have addressed the fact that the original fix was incomplete:

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

After updating:

Code: Select all

env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory

However, on CentOS 6, the updated version which is supposed to be fixed appears to prevent the behavior as suggested in the original test, but does NOT deal with the above example:

Code: Select all

env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 11:11:58 EDT 2014

Scary stuff. Gentoo devs are on top of this for sure!

Tom

[Duncan Mac Leod]

Awesome: Gentoo has already handled this problem. Free beer for the devs!!

YES!! Free beer for the devs!! I love you!!!

[darookee]

I have to systems running gentoo, I updated them both as in http://forums.gentoo.org/viewtopic.php? ... 82#7623082

One has GNU bash, version 4.2.48(1)-release (x86_64-pc-linux-gnu)
The other GNU bash, version 4.3.24(1)-release (x86_64-pc-linux-gnu)

When I run the test on the first I get this:

Code: Select all

root:spork:~> env X='() { (a)=>\' /bin/bash -c "echo date"; cat echo
/bin/bash: X: line 1: syntax error near unexpected token `='
/bin/bash: X: line 1: `'
/bin/bash: error importing function definition for `X'
date
Thu Sep 25 23:21:21 CEST 2014
root:spork:~>

And on the second it is the same. Am I missing something? It looks like it is not fixed...?

[tld]

And on the second it is the same. Am I missing something? It looks like it is not fixed...?

Actually I think you're correct. I noticed earlier that the updated Gentoo version had no patch other than the one known to be incomplete.

I think the above behavior I'm seeing, where I don't appear to have that issue, may possibly be because it's on an older x86 machine(??):

Code: Select all

equery list bash
 * Searching for bash ...
[IP-] [  ] app-shells/bash-4.2_p48-r1:0

uname -a
Linux dell2 3.14.16-gentoo #1 SMP PREEMPT Tue Aug 19 11:25:32 EDT 2014 i686 Intel(R) Pentium(R) 4 CPU 2.53GHz GenuineIntel GNU/Linux

env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory

At least that's the only explanation I can imagine offhand. As you can see it's not occurring for me, but as far as I can see, there currently is no fix available yet for that one.

[eccerr0r]

I've seen multiple incantations of the bug detection script around, it looks like the one with bad syntax is the worrysome one.

host4248r1 is x86 running bash4.2_p48r1 -- I also have x86_64 and behaves the same.
host4245 is x86_64 running bash4.2_p45

Code: Select all

host4248r1$ bash
host4248r1$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
host4248r1$ exit
exit
host4248r1$ bash
host4248r1$ rm -f echo
host4248r1$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
host4248r1$

The second one seems to be creating an improper function but oddly bash is still parsing it, but nevertheless it should not be executing it like on this vulnerable machine:

Code: Select all

host4245$ bash
host4245$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
host4245$ exit
exit
host4245$ bash
host4245$ rm -f echo
host4245$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu Sep 25 17:43:15 MDT 2014

In any case it should not print out the date. Then again any function declaration appears to do rudimentary parsing:

Code: Select all

host4248r1$ b() { (a)=> }
bash: syntax error near unexpected token `='

[eccerr0r]

Just want to report that I had two hosts from "security companies" probe my server for shellshock through httpd. At least they made it somewhat obvious; there are more subtle ways of doing it...

[darookee]

I just checked again after updating one host to 4.3_p25-r1 and, 'magically', both host, the on running 4.2_p48-r1 and the other don't show the 'vulnerable' behavior, even though I didn't do anything on the bash-4.2 host... Funny...

Code: Select all

$ equery list bash
[IP-] [  ] app-shells/bash-4.2_p48-r1:0

$ uname -a
Linux spork 3.10.17-gentoo #1 SMP Thu Nov 21 02:14:03 CET 2013 x86_64 AMD FX(tm)-4100 Quad-Core Processor AuthenticAMD GNU/Linux

$ env x='() { :;}; echo vulnerable' /bin/bash -c "echo this is a test"
/bin/bash: warning: x: ignoring function definition attempt
/bin/bash: error importing function definition for `x'
this is a test

Code: Select all

$ equery list bash
[IP-] [  ] app-shells/bash-4.3_p25-r1:0

$ uname -a
Linux mirinda 3.8.13 #3 SMP Sun Dec 15 21:23:34 CET 2013 x86_64 AMD Athlon(tm) II X2 240 Processor AuthenticAMD GNU/Linux

$ env x='() { :;}; echo vulnerable' /bin/bash -c "echo this is a test"
/bin/bash: warning: x: ignoring function definition attempt
/bin/bash: error importing function definition for `x'
this is a test

[eccerr0r]

looks like bash-4.2_p49 is available on portage now, which is the same as Gentoo's p48-r1 (which got obsoleted).

[ChrisJumper]

The show must go on: app-shells/bash-4.2_p50 is available now.

[baragoon]

The show must go on: app-shells/bash-4.2_p50 is available now.

But still vulnerable...
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
/root/t.sh: line 18: 2692 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

[patrix_neo]

Redhat offered SJVN @ zdnet some tip how to check if your bash is vulnerable or not. It includes talk abut the CVE-2014-7186 bug.

http://www.zdnet.com/shellshock-better- ... 000034115/

Mine: bash-4.2_p50 made the tests.
Test 1

env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

NOTE: With bash-4.2_p50, bash replied with: test only. Good or bad, I don't know.

Test 2

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

date
cat: /tmp/echo: No such file or directory

[geeksheik]

This may deserve a new thread; it seems that the bash ebuild is currently corrupted. I did the system update several days ago, and there have been already a few new releases in the meantime. Now the ebuild seems to be broken or corrupted. I'm guessing that it's due to a transfer error between servers, but this is the type of message that one would see if there is intentional manipulation.

Starting emerge -u -D -v -N world on 20141002_133808...

These are the packages that would be merged, in order:

Calculating dependencies .... .... done!
[ebuild U ] app-shells/bash-4.2_p51 [4.2_p48-r1] USE="examples net nls (readline) -afs -bashlogger -mem-scramble -plugins -vanilla" 13 kB
[ebuild U ] net-proxy/squid-3.3.13-r1 [3.3.13] USE="ipv6 ldap logrotate mysql pam ssl -caps -ecap -icap-client (-ipf-transparent) -kerberos (-kqueue) -nis (-pf-transparent) -postgres -qos -radius -samba -sasl (-selinux) -snmp -sqlite -ssl-crtd {-test} -tproxy" 0 kB
[ebuild U ~] media-gfx/ufraw-0.20 [0.19.2] USE="gnome gtk openmp -contrast -fits -gimp -timezone" 1,062 kB
[ebuild U ] net-misc/dhcpcd-6.4.7 [6.4.3] USE="ipv6 udev" 152 kB
[ebuild U ] sys-apps/portage-2.2.8-r2 [2.2.8-r1] USE="(ipc) -build -doc -epydoc (-pypy2_0) -python2 -python3 (-selinux) -xattr" LINGUAS="-ru" PYTHON_TARGETS="python2_7 python3_3 (-pypy2_0) (-python2_6) (-python3_2) (-python3_4)" 0 kB
[ebuild U ] dev-vcs/git-2.0.4 [1.8.5.5] USE="blksha1 curl doc emacs gpg gtk iconv nls pcre perl python subversion threads tk webdav -cgi -cvs -gnome-keyring -highlight -mediawiki (-ppcsha1) {-test} -xinetd" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" 4,628 kB

Total: 6 packages (6 upgrades), Size of downloads: 5,853 kB

>>> Verifying ebuild manifests


!!! Digest verification failed:
!!! /usr/portage/app-shells/bash/bash-4.1_p15.ebuild
!!! Reason: Filesize does not match recorded size
!!! Got: 4200
!!! Expected: 4201

-> cat /usr/portage/metadata/timestamp.chk
Thu, 02 Oct 2014 11:30:01 +0000

I already re-synced once and got the same result.

[gerard27]

Had the same problem.
Resynced and it compiled properly.
Gerard.

[patrix_neo]

Security wise I feel undressed..Thanks for every effort though. I will reboot soonish.