Sunday 28 September 2014

Shellshock vulnerability in bash

Shellshock is a vulnerability in GNU's bash shell that gives attackers access to run remote commands
on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST,
you're most definitely vulnerable and have been since first boot.
    Certain services and applications allow remote unauthenticated attackers to provide environment variables,
allowing them to exploit this issue.
    The Shellshock vulnerability can be exploited on systems that are running Services or applications
that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems
include the following:

  • Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash sub-shells
  • Certain DHCP clients
  • Open SSH servers that use the ForceCommand capability
  • Various network-exposed services that use Bash



There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.
 

#env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.



CentOS, Ubuntu, Linux systems
Shellshock is a vulnerability in bash. In order to patch your vulnerable system, you will need
to get the most up to date version of bash available from GNU.org.

Depending on your package manager (yum, apt-get, etc) you may be able to just run a yum update
and you'll be good to go.


Patch your system
For CentOS, Fedora, Red Hat (and the like) users, justto update it
In order to update to the most recent version of the Bash package run the following command:


you can also retrieve Bash version using any of these commands:

#rpm -q bash
#yum info bash
#yum list installed bash


If the output shows version older than 4.1.2-15.el6_5.1, you’d need upgrade bash to its most recent version. If that’s the case, then execute the following YUM command:



CentOS /RedHat  

#yum clean all; yum update bash
 
For Ubuntu Systems:
#apt-get update; apt-get upgrade;
 

For Arch Linux:
#pacman -Syu


If your package manager doesn't find an update, you will need to build bash from src.
Building From Source

#curl https://shellshocker.net/fixbash | sh
#cd ~/
#mkdir bash
#cd bash
#wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#tar zxvf bash-4.3.tar.gz
#cd bash-4.3
#./configure && make && make install



Perform a system reboot [might not need a reboot] OR
if system cannot be reboot, run command

#/sbin/ldconfig

No need to reboot your system either. Rebooting may be necessary only if someone has already
taken control of your machine because of the bug.
But in such a case, you should reinstall your system

If you have a strong reason to suspect that a system was compromised by this vulnerability then
a system reboot should be performed after the update is installed as a best security practice
and security checks should be analyzed for suspicious activity.



 

Test your system 

To test your system, log into your bash shell and type:

#env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see “vulnerable” afterwards, you haven’t patched it.

If you see “this is a test”, you’re patched.


OS X 

If you're running OS X, you will need to download and compile bash yourself using brew or MacPorts.

We recommend using brew - Go to http://brew.sh/ and install brew on your system.

Once you have brew installed, run the following commands to update your system

brew update
brew install bash
sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'
chsh -s /usr/local/bin/bash
sudo mv /bin/bash /bin/bash-backup
sudo ln -s /usr/local/bin/bash /bin/bash


If you're using MacPorts, run the following:

sudo port self update
sudo port upgrade bash

Once you've updated, try the exploit again and report back your findings






Ref Sites :

https://access.redhat.com/articles/1200223
http://www.linuxbrigade.com/bash-shellshock-bug-find-youve-tested/
http://www.joe0.com/2014/09/24/how-to-fix-the-bash-software-bug-biggest-threat-since-heartbleed-on-fedora-centos-red-hat-scientific-linux-yellow-dog-linux-oracle-linux-systems/
https://access.redhat.com/articles/1200223
http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/
http://www.lynda.com/articles/shellshock-bash-exploit
http://www.engadget.com/2014/09/25/what-is-the-shellshock/
http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html
http://lists.centos.org/pipermail/centos-announce/2014-September/020591.html
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
http://timesofindia.indiatimes.com/tech/tech-news/Security-experts-expect-Shellshock-software-bug-to-be-significant/articleshow/43657819.cms
https://access.redhat.com/articles/1200223

1 comment: