Overview
You’re system probable vulnerable if you have not updated your system since Tuesday since Tue Sep 30 2014: 1:32PM EST. A remote code execution vulnerability has been found in Bash which is named as “Shellshock”.
Description
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.”
In simple words Shellshock is a vulnerability found in Bash that is present on almost every Linux-based computer and device in the world. If you’ve ever used the “command line” on a Unix/Linux like system (Linux, Mac OS X, Android) you’d probably be typing commands into a Bash shell. This vulnerability can be exploited in a number of ways (Apache and DHCP) that allows an attacker to run code directly on the vulnerable system.
Where does the bug occur?
The bug is found in Bash’s parsing code. There is an error in the way that Bash parses environment variables during its initialization sequence. Anything that can manipulate the environment variables has the potential to be a vector for this vulnerability.
How does it make you vulnerable?
The Bash bug allows an attacker to perform the same commands as a legitimate user. This gives a successful attacker the ability to do nearly anything that a user can do. An attacker that has access to a remote vector will be able to remotely inject Bash commands on the system without authentication.
Note that the attacker is (at least initially) limited to the privilege level of the user running the Bash instance. However, once an attacker has a foothold in your system, they have multiple options for escalating privileges and potentially gaining root access.
Which versions of Bash are affected?
Every version of Bash for the last 25 years, up to and including version 4.3, is vulnerable to the Shellshock vulnerability.
Testing For Shellshock.
To test whether a system is vulnerable, you can try popping open a shell/terminal and running this command:
env X=”() { :;} ; echo you might be vulnerable” /bin/bash -c “echo hello”
If “you might be vulnerable” pops up, your system has an exploitable version of Bash installed.
You could also simply run this one liner below to find if you’re vulnerable.
curl https://shellshocker.net/shellshock_test.sh | bash
CVE-2014-6271
Try running the following command in a shell.
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the output is “vulnerable” you need to update Bash else you’re safe.
CVE-2014-7169
Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.
env X='() { (shellshocker.net)=>\’ bash -c “echo date”; cat echo; rm ./echo
If the output of the above command is current date (may also show errors), you’re still vulnerable.
Another variation of the exploit.
env X=’ () { }; echo hello’ bash -c ‘date’
If the output is “hello”, you are vulnerable.
CVE-2014-7186
bash -c ‘true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF’ ||
echo “CVE-2014-7186 vulnerable, redir_stack”
A vulnerable system will echo the text “CVE-2014-7186 vulnerable, redir_stack”.
CVE-2014-7187
(for x in {1..200} ; do echo “for x$x in ; do :”; done; for x in {1..200} ; do echo done ; done) | bash ||
echo “CVE-2014-7187 vulnerable, word_lineno”
A vulnerable system will echo the text “CVE-2014-7187 vulnerable, word_lineno”.
CVE-2014-6278
shellshocker='() { echo You are vulnerable; }’ bash -c shellshocker
If you’re patched you will see “bash: shellshocker: command not found”
CVE-2014-6277
bash -c “f() { x() { _;}; x() { _;} <<a; }” 2>/dev/null || echo vulnerable
If the command output is “vulnerable”, you are vulnerable.
How do I protect myself?
In order to patch your vulnerable system, you will need to get the most up to date version of bash available from GNU.org.
Depending on your package manager (yum, apt-get, etc) you may be able to just run a yum update and you’ll be good to go.
CentOS, Ubuntu, Linux systems
yum update bash -y
For Ubuntu Systems:
apt-get update; apt-get install –only-upgrade bash
For Arch Linux:
pacman -Syu
Note: The patches available from bash are not yet 100% issue free. It’s highly recommended that you still update your system and patch bash, even if it only fixes the first few exploits on your system. Please check back occasionally for updates, we will keep this page up to date with the latest patches available.
*References: