Shellshock - Bash Code Injection Vulnerabilty (CVE-2014-6271)

root's picture

Security researchers from Red Hat have uncovered a new exploit in the common "Bash" command shell found in OS X, Linux, AIX and many other *nix platforms which can be used to deploy malicious code with minimal effort. Due to the ubiquity of the Bash shell, the exploit can also affect a wide variety of different web-connected devices and properties, including unsecured websites, smart home appliances, servers, and more.

As mentioned above, this vulnerability is not limited to only one platform but in the same time in doesn't affect the average consumer because even if they have "bash" in their computers, they do not use it in a way that it can be vulnerable. Unless you are using your computer as a server that accepts commands from untrusted sources (like web servers for example) (and then only if it sets environment variables based on commands from untrusted sources) you do not have to worry about.

For those who knows, there is an easy test to determine if a Linux or Unix system is vulnerable.

env x='() { :;}; echo Bash is vulnerable!' bash -c "echo PS: this is just a test..."

If the system is vulnerable, the output will be:

fmbpro:~ florian$ env x='() { :;}; echo Bash is vulnerable!' bash -c "echo PS: this is just a test..."
Bash is vulnerable!
PS: this is just a test...

An unaffected (or patched) system will output:

fmbpro:~ florian$ env x='() { :;}; echo Bash is vulnerable!' bash -c "echo PS: this is just a test..."
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
PS: this is just a test...

If you want to know more and get workaround for various applications, visit the RedHat link: https://access.redhat.com/articles/1200223

Below is an official letter sent to many IT companies from The Red Hat Product Security Team:
Red Hat Product Security has been made aware of a vulnerability affecting all versions of the Bash package shipped with Red Hat Enterprise Linux. Since many of Red Hat's products run on a base installation of Red Hat Enteprise Linux, there is a risk of other products being impacted by this vulnerability as well.

The Bash Code Injection Vulnerability CVE-2014-6271 could allow for arbitrary code execution, allowing an attacker to bypass imposed environment restrictions. Certain services and applications allow remote unauthenticated attackers to exploit this vulnerability by providing environment variables. As the Bash shell is the most commonly used shell today, the risk of impact from this vulnerability if left unchecked could be severe.

To learn more about affected products, remediation steps, and testing your Bash version for vulnerabilities, see https://access.redhat.com/articles/1200223 in the Red Hat Customer Portal.

[UPDATE 29.09]:

1. Bash patched version is provided in AIX Linux toolbox (VIOS should not have bash installed on them. But if it was installed, the bash package should be patched too.): http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/alpha.html
PS: it is possible that Linux Toolbox to not have yet the latest bash version. In this case, please follow extra instructions from point 1a below.

2. One other popular packaging is the one done by Perlz site, especially for 7.1 where you do not have toolbox rpms yet: http://www.perzl.org/aix/index.php?n=Main.Bash or http://www.perzl.org/aix

3. Bull freeware: http://www.bullfreeware.com/affichage.php?id=2090

4. MAC OS X can be patched via MacPorts (for Apple packages, check the point 4a below) with command sudo port upgrade bash. More commands about MacPorts here: http://tar.gz.ro/macports-commands.html Homebrew and Fink should also have the updated bash version.
After you upgrade or install bash, make sure the default one also points to the patched version:

osx:bash-fix root# ls -la /bin/bash
-r-xr-xr-x  1 root  wheel  1333920 Nov 14  2013 /bin/bash
osx:bash-fix root# env x='() { :;}; echo Bash is vulnerable!' /bin/bash -c "echo PS: this is just a test..."
Bash is vulnerable!
PS: this is just a test...
osx:bash-fix root# [color=green]rm /bin/bash[/color]
osx:bash-fix root# [color=green]ln -s /opt/local/bin/bash /bin/bash[/color]
osx:bash-fix root# env x='() { :;}; echo Bash is vulnerable!' /bin/bash -c "echo PS: this is just a test..."
PS: this is just a test...

PS: if you do not have bash package provided by 3rd party, you have to install it in order to fix the vulnerability. Below you have MacPorts example:

osx:~ root# env x='() { :;}; echo Bash is vulnerable!' bash -c "echo PS: this is just a test..."
Bash is vulnerable!
PS: this is just a test...
[color=red]osx:~ root# port -v upgrade bash
Error: bash is not installed[/color]
osx:~ root# [color=green]port -v install bash[/color]
[...]
--->  Cleaning bash
--->  Removing work directory for bash
--->  Updating database of binaries
--->  Scanning binaries for linking errors
--->  No broken files found.
osx:~ root# env x='() { :;}; echo Bash is vulnerable!' bash -c "echo PS: this is just a test..."
PS: this is just a test...

[UPDATE 30.09]:

1a. This is for AIX in case Linux ToolBox is not updated with the latest bash version.
Download link for AIX 6.1 and above: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/bash/bash-4.2-2.aix6.1.ppc.rpm
Optional documentation download: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/bash/bash-doc-4.2-2.aix6.1.ppc.rpm
To install, as root, execute the command: rpm -hUv bash-4.2-2.aix6.1.ppc.rpm
Optionally install documentation: rpm -hUv bash-4.2-2.aix6.1.ppc.rpm bash-doc-4.2-2.aix6.1.ppc.rpm
Download link for AIX 5.3: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/bash/bash-4.2-2.aix5.3.ppc.rpm
Optional documentation download: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/bash/bash-doc-4.2-2.aix5.3.ppc.rpm

4a. Apple today released OS X bash update 1.0 for OS X Mavericks to fix a vulnerability in the bash UNIX shell. Along with the fix for OS X Mavericks, Apple has released updates for both OS X Lion and OS X Mountain Lion. There is no Yosemite download available as of yet, but Apple may be planning to issue a fix in the near future. The three updates are available via Apple's support pages and should be available via the Software Update tool soon. More info on apple website:
https://support.apple.com/kb/DL1769 - Mavericks (10.9.5 and above)
https://support.apple.com/kb/DL1768 - Mountain Lion (10.8.5)
https://support.apple.com/kb/DL1767 - Lion (10.7.5)

A good link explaining the vulnerability: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself! Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.

Recent content