Shellshock - Remote code execution via Bash

a_5mith

For those that don't understand the issue. Another from my favourite Tom Scott

A Former User

Thanks to @a_5mith, I just binged several of his videos. He does a good job of breaking things down for those with little experience, when he isn't doing something humorous. Thanks for sharing this.

a_5mith

@Ted said:

Thanks to @a_5mith, I just binged several of his videos. He does a good job of breaking things down for those with little experience, when he isn't doing something humorous. Thanks for sharing this.

He does a few videos for Computerphile as well. Where he goes into a little more detail. Does some really good videos.

julian

If you're running Ubuntu 13.10, you're SOL. I've received no updates fixing this. As bad as it sounds, if you're running 13.10, UPGRADE TO 14.04!

fuzzmz

@julian alternatively recompile Bash by hand. This should work:

mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 0 28); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz 
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd .. 
cd ..
rm -r src

Please note thought that a full patch for the exploit is not yet available.

julian

All NodeBB servers have been updated and patched against Shellshock.

Scuzz

@julian I am on Ubuntu 12 LTS and received the updates for bash. They may not have been out at the time you checked for 13?

I checked my logs and we only had a couple of attempts against our server, luckily I had updated when the quick fix got released and updated again when the actual fix was released.

fuzzmz

@Scuzz, the main problem is that the issue hasn't been completely fixed. As far as I know the latest patch for bash 4.3 is 28 which makes things safer, but still not completely impenetrable.

Scuzz

@fuzzmz I know they released a quick fix but after that I thought they released another that completely fixed it?

I had updates for bash twice over the last week or so.

julian

@Scuzz If you have LTS, then you're fine, but 13.10 only had 9 months' of support, which ended in July. Unfortunate for us, the majority of our servers were 13.10

They're all running 14.04 now, and won't change for awhile yet.