Shellshock - Remote code execution via Bash


  • Not sure if this has been posted as my unread list on shows a few items even though it has 20+ in the icon (@psychobunny @julian @baris ??)

    I'm not sure if many of you are aware but there has been a serious vulnerability found with Bash that will execute commands on a server via anything that uses system calls.

    Detailed information

    Everyone should update Bash as soon as possible. The recent patch is not a full patch for this vulnerability but it will help.


  • For those running Ubuntu:

    Test if vulnerable:
    $ env var='() { ignore this;}; echo uhoh' bash -c /bin/true

    If you get a response of uhoh you're vulnerable.

    Here's the steps to patch:
    apt-get update
    apt-get install bash
    $ env var='() { ignore this;}; echo uhoh' bash -c /bin/true (Retest)

    You should now get something along the lines of:

    bash: warning: var: ignoring function definition attempt
    bash: error importing function definition for 'var'
    

    Patch success.


  • For those that don't understand the issue. Another from my favourite Tom Scott


  • Thanks to @a_5mith, I just binged several of his videos. He does a good job of breaking things down for those with little experience, when he isn't doing something humorous. Thanks for sharing this.


  • @Ted said:

    Thanks to @a_5mith, I just binged several of his videos. He does a good job of breaking things down for those with little experience, when he isn't doing something humorous. Thanks for sharing this.

    He does a few videos for Computerphile as well. Where he goes into a little more detail. Does some really good videos.

  • GNU/Linux Admin

    If you're running Ubuntu 13.10, you're SOL. I've received no updates fixing this. As bad as it sounds, if you're running 13.10, UPGRADE TO 14.04!


  • @julian alternatively recompile Bash by hand. This should work:

    mkdir src
    cd src
    wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
    #download all patches
    for i in $(seq -f "%03g" 0 28); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
    tar zxvf bash-4.3.tar.gz 
    cd bash-4.3
    #apply all patches
    for i in $(seq -f "%03g" 0 28);do patch -p0 < ../bash43-$i; done
    #build and install
    ./configure && make && make install
    cd .. 
    cd ..
    rm -r src
    

    Please note thought that a full patch for the exploit is not yet available.

  • GNU/Linux Admin

    All NodeBB servers have been updated and patched against Shellshock. 👍


  • @julian I am on Ubuntu 12 LTS and received the updates for bash. They may not have been out at the time you checked for 13?

    I checked my logs and we only had a couple of attempts against our server, luckily I had updated when the quick fix got released and updated again when the actual fix was released.


  • @Scuzz, the main problem is that the issue hasn't been completely fixed. As far as I know the latest patch for bash 4.3 is 28 which makes things safer, but still not completely impenetrable.


  • @fuzzmz I know they released a quick fix but after that I thought they released another that completely fixed it?

    I had updates for bash twice over the last week or so.

  • GNU/Linux Admin

    @Scuzz If you have LTS, then you're fine, but 13.10 only had 9 months' of support, which ended in July. Unfortunate for us, the majority of our servers were 13.10 😦

    They're all running 14.04 now, and won't change for awhile yet.

Suggested Topics

  • 1
  • 8
  • 17
  • 8
  • 5
| |