Shellshock ‘Deadly serious’ new tech bug found!
This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.
All versions prior to those listed as updates for this issue are vulnerable to some degree.
My infected OS version is CentOS-6 and bash version 4.1.2
[root@host75 ~]# lsb_release -a
lsb_release -a
LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.4 (Final)
Release: 6.4
Codename: Final
[root@host75 ~]# bash --version
bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Diagnostic Steps:
To test if your version of Bash is vulnerable to this issue, run the following command:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the output of the above command looks as follows:
vulnerable
this is a test
hmm, I got infected!
[root@host75 ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
You are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
If your system is vulnerable, update to the most recent version of the Bash package by running the following command:
$yum update bash
This fix my bash ??????
[root@host75 ~]# yum update bash
Loaded plugins: fastestmirror, security, tmprepo
Loading mirror speeds from cached hostfile
epel/metalink | 15 kB 00:00
* base: centos.eecs.wsu.edu
* epel: mirrors.kernel.org
* extras: centos.chi.host-engine.com
* updates: mirror.raystedman.net
base | 3.7 kB 00:00
epel | 4.4 kB 00:00
epel/primary_db | 6.3 MB 00:05
extras | 3.3 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 5.3 MB 00:04
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-14.el6 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================================
Updating:
bash x86_64 4.1.2-15.el6_5.1 updates 905 k
Transaction Summary
================================================================================================================================================
Upgrade 1 Package(s)
Total download size: 905 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_5.1.x86_64.rpm | 905 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : bash-4.1.2-15.el6_5.1.x86_64 1/2
Cleanup : bash-4.1.2-14.el6.x86_64 2/2
Verifying : bash-4.1.2-15.el6_5.1.x86_64 1/2
Verifying : bash-4.1.2-14.el6.x86_64 2/2
Updated:
bash.x86_64 0:4.1.2-15.el6_5.1
Complete!
Test if update fixed to patch your bash
[root@host75 ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
How does this impact systems:
This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.
All versions prior to those listed as updates for this issue are vulnerable to some degree.
See the appropriate remediation article for specifics.
Functions written in Bash itself do not need to be changed, even if they are exported with “export -f”. Bash will transparently apply the appropriate naming when exporting, and reverse the process when importing function definitions.
Ref:
http://www.bbc.com/news/technology-29361794
https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
https://access.redhat.com/articles/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://lists.gnu.org/archive/html/bug-bash/2014-09/threads.html
https://rhn.redhat.com/errata/RHSA-2014-1306.html