View previous topic :: View next topic |
Author |
Message |
Ansy Member
Joined: 24 Feb 2011 Posts: 42 Location: RUSSIA
|
Posted: Fri Sep 26, 2014 8:18 am Post subject: Caution! bash Shellshock vulnerability! |
|
|
http://www.kb.cert.org/vuls/id/252743
Quote: | GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169)
A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. |
When will be fix available for SMS? _________________ In CODe we TRUST! |
|
Back to top |
|
Ansy Member
Joined: 24 Feb 2011 Posts: 42 Location: RUSSIA
|
|
Back to top |
|
asphyx Junior Member
Joined: 27 Sep 2012 Posts: 6
|
Posted: Fri Sep 26, 2014 12:15 pm Post subject: |
|
|
Code: | uname -a
Linux test2 3.4.55-smp #2 SMP Mon Jul 29 09:38:51 EEST 2013 i686 AMD Athlon(tm) II X2 250 Processor AuthenticAMD GNU/Linux |
Code: | date
Fri Sep 26 10:11:03 EEST 2014 |
Code: | cat /etc/slackware-version
Slackware 14.0 |
How to test the system ?
Code: | env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
busted
stuff |
Code: | wget -c ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.048-i486-2_slack14.0.txz |
Code: | upgradepkg bash-4.2.048-i486-2_slack14.0.txz |
After upgrading !!!
Code: | env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
stuff |
|
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Fri Sep 26, 2014 5:59 pm Post subject: |
|
|
I'm rebuilding repos and uploading new bash packages in a few minutes...
No need to downgrade bash as slackware's current (bash-4.3) will do as well, SMS use those anyway...
Sorry for the delay...
p.s. there wil be a second update today with other packages as well...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
Ansy Member
Joined: 24 Feb 2011 Posts: 42 Location: RUSSIA
|
Posted: Sat Sep 27, 2014 11:19 am Post subject: |
|
|
gerasimos_h, thanks!
slapt-get --update
slapt-get --upgrade
... all done!
I wonder what services are vulnerable in SMS by this bug... may be Webmin, phpMyAdmin, rtorrent or something else? _________________ In CODe we TRUST! |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Sat Sep 27, 2014 2:16 pm Post subject: |
|
|
Probably none, since there is no shell access anyway, on those services...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
asphyx Junior Member
Joined: 27 Sep 2012 Posts: 6
|
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Tue Sep 30, 2014 2:09 pm Post subject: |
|
|
Already available in SMS repos, although, I don't want to sound too naive but in our case,"shellshock", i dare to say, it's not something serious...
Even if you take it as a local root exploit, (ain't though) even a user can't get root access or access non permissive locations...
Apache or nobody users, for instance don't have shell access, so no problem either...
Its just that in linux community we take security issues serious, and we should anyway...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
jeffshultz Junior Member
Joined: 11 Oct 2014 Posts: 2
|
Posted: Sat Oct 11, 2014 6:35 am Post subject: Still vulnerable? |
|
|
I see from shellshocker.net that Bash is now up to Patch 30 or so... and when I run their shell based vulnerability test I come up vulnerable for the redir_stack bug (CVE-2014-7186):
root@newmail:/etc/mail# curl https://shellshocker.net/shellshock_test.sh |bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2627 100 2627 0 0 6658 0 --:--:-- --:--:-- --:--:-- 7119
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
bash: line 50: 19389 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Are you going to be posting Bash 4.3.30 sometime in the near future? I'm leaving my webserver off and outside SSH access blocked in the meantime. Attempting to patch up to .30 using their script flat out doesn't work.
--
Jeff Shultz |
|
Back to top |
|
gerasimos_h Site Admin
Joined: 09 Aug 2007 Posts: 1757 Location: Greece
|
Posted: Sat Oct 11, 2014 1:39 pm Post subject: |
|
|
I'll provide bash updates later today along with other packages...
No need for shutdown apache though as apache don't have shell access, and if you don't have other local users with shell access no need to shutdown ssh either...
gerasimos_h _________________ Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
Back to top |
|
jeffshultz Junior Member
Joined: 11 Oct 2014 Posts: 2
|
Posted: Sat Oct 11, 2014 9:41 pm Post subject: |
|
|
Thanks - I'm very glad to hear that! |
|
Back to top |
|
|