Find / Patch Shellshock Bash Bug in RedHat / CentOS, Fedora & Ubuntu

September 28, 2014 | By
| 1 Reply More

Stephane Schazelas has recently discovered a very serious security bug in GNU Bourne Again Shell (Bash) that allows attackers to exploit a machine by executing remote code. Shellshock (the name for this security bug) can cause serious problems to your system because it makes possible to trick bash into running a program that it wasn't supposed to.

According to a Red Hat security advisory this issue is very dangerous as it let attackers to take control of every networked device that runs bash if they manage to exploit the vulnerability. Since many webservers rely on the bash shell to execute scripts for performing their tasks there is a very high probability that they be a target for attackers that want to steal data, take down sites or takeover databases.

What is a bash shell

Bash shell know as Bourne Again Shell is invented by Brian Fox with the purpose of replacing the Bourne Shell in unix systems. A command shell is used to help the user or administrator of a system to run programs, automate tasks and write scripts. A very good thing about the Bash shell is the fact that you can interactivily type commands in it and wait for the output. For example when you type the command ls in your terminal it will list all your files and folders inside the current working directory.

Like many other unix shells Bash suports piping, filename wildcarding, varibales, command substitution, itration and it has a very nice feature called history which keeps track of the commands you use during your work with the shell.

Who is vulnerable to the Shellshock bug?

I am sorry to say it but if your system makes use of the Bash shell it is for sure vulnerable to the Shellshock security bug. I have also to mention that a guy named Robert Graham has posted a picture on twitter showing his Mac OS X being vulnerable to the Shellshock security bug.

After some requests made in comments by his followers, he later replied that tcsh, ksh, sh, and zsh on Mac OS X are all vulnerable to bash bug.

How to find if your system is vulnerable to the Shellshock bug

Finding if your system is vulnerable to this serious security bug that takes advantage of your system and can allow attackers to exploit your machine, is not a hard thing to do. But also not an easy one for beginners so make sure you read the folllowing steps carefully.

1. Open a terminal in your machine. (CTRL+ALT+T) in Ubuntu.

2. Once the terminal is opened, copy and paste the following instructions. You do not need to be a superuser to execute the instructions, so just copy and paste them.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If your system is vulnerable to the Shellshock security bug you will see the following output printed on your screen after executing the above command.

vulnerable
this is a test

Otherwise, an unaffected (or patched) system will print the following output.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

How does the Shellshock work

The Shellshock security bug takes advantage of the environment variable concept in Bash, a variable which is used to pass specific values into invoked instances of bash. One can easily add arbitrary commands in an upatched version of bash shell after the environment varible and the system will execute these commands. It looks so easy. In fact it is. According to security researchers this vulnerability is not a complex one, instead it is very easy to exploit it.

Attackers can execute any command they want by passing their commands after the environment variables description and take control of the system.

Updates

There is not yet a full effective update about this serious bug in Bash, but many linux distributions such as Fedora, Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS Debian have made available patched version of Bash for users to download.

In order to fix the shockshell vulnerability in your Ubuntu or Debian machine you need to update to the latest version via apt-get.

sudo apt-get update && sudo apt-get install --only-upgrade bash

CentOS, Red Hat and Fedora users can easily update to the latest version of bash by using the following command.

sudo yum update bash

Note :  As per redhat, the current fix is incomplete but urge users to patch the latest package dated 28th September 2014 1:46 PM.

Once the bash shell on your system is updated make sure to check again your system vulnerability by runnig the command in the previous section. No reboot is required after patching as new processes will use the new code but if system uses exported bash functions then restart of affected services is recommended.

Find which process pids use old exported function, then use ps -axuf or pstree -p or systemctl status <PID> to find process name. You can then restart that particular service.

$ grep -l -z '[^)]=() {' /proc/[1-9]*/environ | cut -d/ -f3

Obsolete code of bash written by Robert Graham is bit interesting to read.

Redhat Update : Dated 29th September CVE-2014-7169 fix

Redhat suggest to try below command to verify Shellshock bug

env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

If you see below ouput you are open to shellshock bug

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test

If see something as below, still code is vulnerable to another issue (CVE-2014-7169) that was found after Shellshock bug was introduced

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

Output below shows you are all good

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

Next check if you have "CVE-2014-7169" issue

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

You are in issue if its like below with your system date outputed

bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

You are good with "7169" issue

date
cat: /tmp/echo: No such file or directory

Note : If you updated bash two days before may be good to update again again :-)

Dated 01st October 2014 - Bash 4.2.051 is released which addresses a buffer overflow issue.

FYI :- Rob Fuller (mubix) started proofs of concept code that can be used to exploit Shellshock on Github and its have exploits against DHCP, SSH, OSX, SIP, Qmail, Pure-FTPd, OpenVPN and Oracle.

Filed Under : NEWS, SECURITY

Free Linux Ebook to Download

Comments (1)

Trackback URL | Comments RSS Feed

  1. marianc says:

    export badvar='() { :;}; echo vulnerable'
    bash -c "echo I am an innocent sub process in '$BASH_VERSION'"

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.