Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bug in Bash shell creates big security hole on anything with *nix in it


  • This topic is locked This topic is locked
57 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:51 AM

Posted 24 September 2014 - 04:13 PM

 

A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

 

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable this is a test

Bug in Bash shell creates big security hole on anything with *nix in it

 

Update your system now. Run this command run this command in terminal.

sudo apt-get update && sudo apt-get upgrade

Then run this command.

env check='Not vulnerable' x='() { :;}; check=Vulnerable' bash -c 'echo $check'

The output should look like this.

a9pf2a.png


Edited by NickAu1, 24 September 2014 - 05:18 PM.


BC AdBot (Login to Remove)

 


m

#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:51 PM

Posted 24 September 2014 - 04:22 PM

Hi,

 

Thanks for the warning. :thumbup2:

 

I suppose this is the result in a system not vulnerable

 

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:51 AM

Posted 24 September 2014 - 04:29 PM

Hi.

 

If the system is vulnerable, the output will be:

vulnerable this is a test 

You are welcome.

 

My system updated just before I posted this. It seems the Linux community was all over this fast.


Edited by NickAu1, 24 September 2014 - 04:36 PM.


#4 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:51 PM

Posted 24 September 2014 - 06:00 PM

Hi.

 

If the system is vulnerable, the output will be:

vulnerable this is a test 

 

On the link you post it seems the output on MacOS is two lines:

vulnerable
this is a test

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#5 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:51 AM

Posted 24 September 2014 - 06:07 PM

 

On the link you post it seems the output on MacOS is two lines:

vulnerable
this is a test

That Mac is vulnerable.

 

 

The vulnerability (CVE-2014-6271) affects Apple's OS X – and is useful for privilege escalation – as well as major flavors of Linux. Fortunately, patches are already available, and distros are ahead of the game in responding to the flap. BSD distros that do not use Bash by default are safe, obviously.

 

Edit

 

Git for Windows may also be  vulnerable.

 

Git for Windows provides a BASH emulation used to run Git from the command line.


Edited by NickAu1, 24 September 2014 - 06:13 PM.


#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:51 AM

Posted 24 September 2014 - 07:24 PM

Bash is a rather fat shell. Embedded systems which run Linux often use BusyBox instead, or another lightweight shell. The scope of this vuln is more limited on hardware than many would think, and all the big distros have already patched it. It shows that there are a lot of basic bugs out there to be found, and now Linux is becoming more interesting to hackers we can expect a lot more of this type of thing.



#7 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 AM

Posted 25 September 2014 - 02:38 AM

...now Linux is becoming more interesting to hackers we can expect a lot more of this type of thing.

 

True, oh Northern One.

 

Lest I forget, much kudos NickAu1 for the heads up!

 

I read your post over coffee this morning, executed the easy test, my output of vulnerable came out in two lines, as SleepyDude referred about Mac output. No matter, same principle.

 

I did a bit of trawling of the Net, read a few items (summarised below), and by or before 11:36:27, I had had Trusty's Software Updater wiggling at me, green, in the Launcher.

 

Being conditioned, I clicked it to go ahead and went for another coffee (I usually watch it do its voodoo, even click Details to watch items spinning down, soothing when there are no failures).

 

Came back, up to date.

 

Next time I ran the easy test I got the same Not vulnerable as you, so Ubuntu were on the ball.

 

This in 2 parts, gotta put the Powerball on



#8 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 AM

Posted 25 September 2014 - 03:28 AM

Part 2

 

Huzaifa Sidhpurwala from Redhat features prominently in a number of articles, including REJECTING a couple of patch suggestions - This refers.

 

Whirlpool indicated that a second patch may still be to come.

 

The Register (UK-based) were scare-mongering a little with their article, notable for the reference below:

 

koS3mYB.png

 

... & yet Redhat have been heavily involved in the patching process, including ones for Enterprise and for Fedora. Hhmmm - may be some returns for Redhat vis-a-vis an exodus to their products, both from commercial entities and the home user? Not to mention Redhat's reference here.

 

And of course there are the obligatory references to Heartbleed - "Shellshock" was being suggested about 8 - 10 hours ago or more as a codename for the Bug, and that seems to be catching (catch a bug, get it :hysterical: )

 

SleepyDude, if you and your team are still watching this post, not being critical, but:

  1. Lawrence or Nathan should have something about this on the front page by now
  2. We have thousands of members, albeit a small Linux community, but there is Mac as well, affected. Many members may come into the site at http://www.bleepingcomputer.com/forums rather than the front page, and some of those may not be privy to eg Ubuntu's friendly wiggle-wiggle-wiggle-wiggle-wiggle of Software Updater. Maybe a blanket PM to Linux-Mac Users? I can put something in the Topics I am involved with, just let me know - PM if you wish

I've said enough I expect, this is Nick's topic, kudos again Nick, and love BC Forum!

 

Wizard


Edited by wizardfromoz, 25 September 2014 - 03:29 AM.


#9 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:51 AM

Posted 25 September 2014 - 03:50 AM


 

"Shellshock" was being suggested

And now that its Kind of patched in Linux, we can call the patch  Shell be right, Australians and Kiwis will get that.

 

Shell be right,

What else can we call it?

 

 

She'll be right (often followed by a friendly term of address such as mate) is a frequently used idiom in Australian and New Zealand culture that expresses the belief that "whatever is wrong will right itself with time", which is considered to be either an optimistic or apathetic outlook.[1][2][3] The term can also be used to refer to a situation or object which is not perfect but is good enough to fulfil its purpose.

She'll be right - Wikipedia, the free encyclopedia


Edited by NickAu1, 26 September 2014 - 12:04 AM.


#10 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 AM

Posted 25 September 2014 - 06:24 AM

Naah ya shouldov madem google it up me china plate

 

BTW, I said earlier

 


 by or before 11:36:27, I had had Trusty's Software Updater wiggling at me, green, in the Launcher.

 

The reason I know the time so precisely is because in

/var/log/apt/history.log

(Just open in your favourite file viewer/editor), eg

gedit /var/log/apt/history.log

... I found the time I ran the updates, and also, in part:

 

" bash:amd64 (4.3-7ubuntu1, 4.3-7ubuntu1.1), " - which is the updated Patch from Ubuntu for this security flaw. My version of Bash is 4.3.11(1) - now, not sure before.

 

Later

 

Wiz

 

 



#11 Al1000

Al1000

  • Global Moderator
  • 6,684 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:06:51 PM

Posted 25 September 2014 - 01:57 PM

Whirlpool indicated that a second patch may still be to come.


The patches that have been released are being reported as being only a partial fix.

http://lcamtuf.blogspot.com.es/2014/09/quick-notes-about-bash-bug-its-impact.html

The good news yesterday that some Linux distributions shipped patches for the bug yesterday has already been tempered by the discovery that those patches only partially dealt with potential attacks. In an update overnight, Red Hat said that it was developing a new patch, however, it is still advising users to apply the incomplete one for now.

http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-7000034044/

I also tried running the command in the OP in Lucid and Precise Pups, and both reported ''vulnerable.''


#12 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:51 AM

Posted 25 September 2014 - 03:23 PM

 

The vulnerability reported in the GNU Bourne Again Shell (Bash) yesterday, dubbed "Shellshock," may already have been exploited in the wild to take over Web servers as part of a botnet. More security experts are now weighing in on the severity of the bug, expressing fears that it could be used for an Internet "worm" to exploit large numbers of public Web servers. And the initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry.

In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion webpages that at least partially fit the profile for the Shellshock exploit.

 

Concern over Bash vulnerability grows as exploit reported “in the wild”

 

 

 

 

I also tried running the command in the OP in Lucid and Precise Pups, and both reported ''vulnerable.''

Time for an update.

 

For all Ubuntu based puppies (lucid, precise, raring, saucy, trusty, utopic) bash is available here:
http://packages.ubuntu.com/trusty/i386/bash/download
http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.1_i386.deb

 

.


Edited by NickAu1, 25 September 2014 - 04:22 PM.


#13 heyyou325

heyyou325

  • Members
  • 324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 25 September 2014 - 06:45 PM

Thanks for the heads up.  I was vulnerable on mint, av linux, and fedora.  Still am on avlinux, it wouldn't accept my root password, guess I'll reinstall it making new ones.  I got a couple of others I want to try, so I'd better keep this fix handy till I install them.



#14 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:51 AM

Posted 25 September 2014 - 11:01 PM

 

Still am on avlinux, it wouldn't accept my root password, guess I'll reinstall it making new ones.

 

You might want to try this first.

Root Password Not Working - Remastersys


Edited by NickAu1, 25 September 2014 - 11:02 PM.


#15 heyyou325

heyyou325

  • Members
  • 324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 26 September 2014 - 03:33 PM

Several ideas there.  I haven't used it since the middle of july, and my dil really liked it.  I think this is the first time I've been in since.  Password to enter works, but not root.  If the last one doesn't work, I'll just re- install.  I've now got more OSes than I can comfortably use, so it won't hurt if I loose a couple anyway.  5 on one machine is just too many.  My files are all in home anyway. 






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users