Shellshock - Remote code execution via Bash

Scuzz

Not sure if this has been posted as my unread list on shows a few items even though it has 20+ in the icon (@psychobunny @julian @baris ??)

I'm not sure if many of you are aware but there has been a serious vulnerability found with Bash that will execute commands on a server via anything that uses system calls.

Detailed information

Everyone should update Bash as soon as possible. The recent patch is not a full patch for this vulnerability but it will help.

A Former User

For those running Ubuntu:

Test if vulnerable:
$ env var='() { ignore this;}; echo uhoh' bash -c /bin/true

If you get a response of uhoh you're vulnerable.

Here's the steps to patch:
apt-get update
apt-get install bash
$ env var='() { ignore this;}; echo uhoh' bash -c /bin/true (Retest)

You should now get something along the lines of:

bash: warning: var: ignoring function definition attempt
bash: error importing function definition for 'var'

Patch success.

a_5mith

For those that don't understand the issue. Another from my favourite Tom Scott

A Former User

Thanks to @a_5mith, I just binged several of his videos. He does a good job of breaking things down for those with little experience, when he isn't doing something humorous. Thanks for sharing this.

a_5mith

@Ted said:

Thanks to @a_5mith, I just binged several of his videos. He does a good job of breaking things down for those with little experience, when he isn't doing something humorous. Thanks for sharing this.

He does a few videos for Computerphile as well. Where he goes into a little more detail. Does some really good videos.

julian

If you're running Ubuntu 13.10, you're SOL. I've received no updates fixing this. As bad as it sounds, if you're running 13.10, UPGRADE TO 14.04!

fuzzmz

@julian alternatively recompile Bash by hand. This should work:

mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 0 28); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz 
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd .. 
cd ..
rm -r src

Please note thought that a full patch for the exploit is not yet available.

julian

All NodeBB servers have been updated and patched against Shellshock.

Scuzz

@julian I am on Ubuntu 12 LTS and received the updates for bash. They may not have been out at the time you checked for 13?

I checked my logs and we only had a couple of attempts against our server, luckily I had updated when the quick fix got released and updated again when the actual fix was released.

fuzzmz

@Scuzz, the main problem is that the issue hasn't been completely fixed. As far as I know the latest patch for bash 4.3 is 28 which makes things safer, but still not completely impenetrable.

Scuzz

@fuzzmz I know they released a quick fix but after that I thought they released another that completely fixed it?

I had updates for bash twice over the last week or so.

julian

@Scuzz If you have LTS, then you're fine, but 13.10 only had 9 months' of support, which ended in July. Unfortunate for us, the majority of our servers were 13.10

They're all running 14.04 now, and won't change for awhile yet.