Shellshock’d CVE-2014-6271 and CVE-2014-7169

Much like heartbleed before it, if you operate in the open source world you have probably heard about shellshock by now and dedicated a large portion of the last 24 hours trying to mitigate it. In the unlikely event that you somehow missed the massive bash security vulnerability you can find more information here:

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

the tldr version of the bug is that any application allows a remote entity to populate an environment variable allows the attacker to execute a bash function on the target server. You can test for the vulnerability by running:

env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"

If you are vulnerable you will get the below output:

vulnerable
this is a test

If you are not vulnerable you will get the following output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

You can find a list of patches for various distros in the earlier mentioned articles for CVE-2014-6271. When it rains though it pours, in under half a day that patch was re-broken and thus we have a new vulnerability:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

Which you can test yourself with the following commands/output:

jsm@host ~ $ env X='() { function a a>' bash -c echo
bash: X: line 1: syntax error near unexpected token `a'
bash: X: line 1: `'
bash: error importing function definition for `X'
jsm@host ~ $ ls echo
echo

In this instance when the env var is set it’s writing out to a file. And just as I was about to hit Publish saying “There is no fix at this time” a patch came down for my mint box with what appears to be the following changes: https://launchpadlibrarian.net/185730793/bash_4.3-6ubuntu1_4.3-7ubuntu1.2.diff.gz

Edit: Well I still seem to be able to run the above exploit still so I’m not sure that the patch has solved the issue. There is still no official fix from the Bash team.

Edit2: Patched! Updates away!

jsm@host ~ $ env X='() { function a a>' bash -c echo
bash: X: line 1: syntax error near unexpected token `a'
bash: X: line 1: `'
bash: error importing function definition for `X'
jsm@host ~ $ ls echo
jsm@host - $
comments powered by Disqus