Tag Archives: Bash

New Exploit Vulnerability: CVE-2014-6271

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

An advisory from Akamai explains the problem in more depth, as does this OSS-Sec mailing list post.

How to check?

You can check if you’re vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words “busted”, then you’re at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

Or run this command in the default shell:

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If the output includes the word “vulnerable”, okay… you’re at risk.

Patch:

This vulnerability affects Apple’s OS X – and is useful for privilege escalation – as well as Debian and other Linux distributions. Fortunately, patches are already available: http://seclists.org/oss-sec/2014/q3/650

Patch your systems ASAP!

Support List:

  1. Novel/SuSE
  2. Debian
  3. Ubuntu
  4. Mint
  5. Redhat/Fedora
  6. Mageia
  7. CentOS

After patching my system (Ubuntu 12.04 LTS):
ShellShock