{"id":679,"date":"2014-09-25T23:06:44","date_gmt":"2014-09-25T23:06:44","guid":{"rendered":"https:\/\/qbytes.cloud\/?p=679"},"modified":"2014-09-25T23:06:44","modified_gmt":"2014-09-25T23:06:44","slug":"bash-security","status":"publish","type":"post","link":"https:\/\/www.qbytes.cloud\/index.php\/2014\/09\/25\/bash-security\/","title":{"rendered":"Bash Code Injection Vulnerability (Shellshock)"},"content":{"rendered":"

Products Affected:<\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Product\/Channel<\/th>\nFixed in package<\/th>\nRemediation details<\/th>\n<\/tr>\n
Red Hat Enterprise Linux 7<\/td>\nbash-4.2.45-5.el7_0.2<\/td>\nRed Hat Enterprise Linux<\/a><\/td>\n<\/tr>\n
Red Hat Enterprise Linux 6<\/td>\nbash-4.1.2-15.el6_5.1<\/td>\nRed Hat Enterprise Linux<\/a><\/td>\n<\/tr>\n
bash-4.1.2-15.el6_5.1.sjis.1<\/td>\nRed Hat Enterprise Linux<\/a><\/td>\n<\/tr>\n
bash-4.1.2-9.el6_2.1<\/td>\nRed Hat Enterprise Linux 6.2 AUS<\/a><\/td>\n<\/tr>\n
bash-4.1.2-15.el6_4.1<\/td>\nRed Hat Enterprise Linux 6.4 EUS<\/a><\/td>\n<\/tr>\n
Red Hat Enterprise Linux 5<\/td>\nbash-3.2-33.el5.1<\/td>\nRed Hat Enterprise Linux<\/a><\/td>\n<\/tr>\n
bash-3.2-33.el5_11.1.sjis.1<\/td>\nRed Hat Enterprise Linux<\/a><\/td>\n<\/tr>\n
bash-3.2-24.el5_6.1<\/td>\nRed Hat Enterprise Linux 5.6 LL<\/a><\/td>\n<\/tr>\n
bash-3.2-32.el5_9.2<\/td>\nRed Hat Enterprise Linux 5.9 EUS<\/a><\/td>\n<\/tr>\n
Red Hat Enterprise Linux 4<\/td>\nbash-3.0-27.el4.2<\/td>\nRed Hat Enterprise Linux 4 ELS<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Check the version:<\/p>\n

[root@server]# rpm -qa | grep bash\nbash-completion-1.3-7.el6.noarch\nbash-4.1.2-15.el6_4.x86_64\n\n<\/pre>\n
Diagnostic Steps:<\/p>\n
Exploit 1 (CVE-2014-6271<\/a>)<\/h4>\n
There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.<\/p>\n
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"<\/pre>\n
If you see “vulnerable” you need to update bash<\/a>. Otherwise, you should be good to go.<\/p>\n
Exploit 2 (CVE-2014-7169<\/a>)<\/h4>\n
Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.<\/p>\n
env X='() { (shellshocker.net)=&gt;' bash -c "echo date"; cat echo ; rm -f echo<\/pre>\n
If the above command outputs the current date (it may also show errors), you are still vulnerable.<\/p>\n
Exploit 3 (???)<\/h4>\n
Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.<\/i><\/p>\n
env -i X=' () { }; echo hello' bash -c 'date'<\/pre>\n
If the above command outputs “hello”, you are vulnerable.<\/p>\n
Exploit 4 (CVE-2014-7186<\/a>)<\/h4>\n
bash -c 'true &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF' ||\necho "CVE-2014-7186 vulnerable, redir_stack"<\/pre>\n
A vulnerable system will echo the text “CVE-2014-7186 vulnerable, redir_stack”.<\/p>\n
Exploit 5 (CVE-2014-7187<\/a>)<\/h4>\n
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||\necho "CVE-2014-7187 vulnerable, word_lineno"<\/pre>\n
A vulnerable system will echo the text “CVE-2014-7187 vulnerable, word_lineno”.<\/p>\n
Run update:<\/p>\n
[root@server ~]# yum update bash\nLoaded plugins: downloadonly, fastestmirror, priorities\nLoading mirror speeds from cached hostfile\nepel\/metalink                                            |  16 kB     00:00\n * base: mirror.hmc.edu\n * epel: mirrors.solfo.com\n * extras: centos.sonn.com\n * updates: linux.mirrors.es.net\nbase                                                     | 3.7 kB     00:00\nextras                                                   | 3.3 kB     00:00\nupdates                                                  | 3.4 kB     00:00\nupdates\/primary_db                                       | 5.3 MB     00:00\n81 packages excluded due to repository priority protections\nSetting up Update Process\nResolving Dependencies\n--&gt; Running transaction check\n---&gt; Package bash.x86_64 0:4.1.2-15.el6_4 will be updated\n---&gt; Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update\n--&gt; Finished Dependency Resolution\n\nDependencies Resolved\n\n================================================================================\n Package       Arch            Version                   Repository        Size\n================================================================================\nUpdating:\n bash          x86_64          4.1.2-15.el6_5.1          updates          905 k\n\nTransaction Summary\n================================================================================\nUpgrade       1 Package(s)\n\nTotal download size: 905 k\nIs this ok [y\/N]: y\nDownloading Packages:\nbash-4.1.2-15.el6_5.1.x86_64.rpm                         | 905 kB     00:00\nRunning rpm_check_debug\nRunning Transaction Test\nTransaction Test Succeeded\nRunning Transaction\n  Updating   : bash-4.1.2-15.el6_5.1.x86_64                                 1\/2\n  Cleanup    : bash-4.1.2-15.el6_4.x86_64                                                                                                                                                        2\/2\n  Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                                                                                                                                      1\/2\n  Verifying  : bash-4.1.2-15.el6_4.x86_64                                                                                                                                                        2\/2\n\nUpdated:\n  bash.x86_64 0:4.1.2-15.el6_5.1\n\nComplete!\n\n<\/pre>\n
[root@server ~]# rpm -qa | grep bash\nbash-4.1.2-15.el6_5.1.x86_64\nbash-completion-1.3-7.el6.noarch\n\n<\/pre>\n
Test after update:<\/p>\n
[root@server ~]# env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"\nbash: warning: x: ignoring function definition attempt\nbash: error importing function definition for `x'\nthis is a test\n<\/pre>\n
For Ubuntu Systems:<\/p>\n
apt-get update; apt-get install --only-upgrade bash<\/pre>\n
For Arch Linux:<\/p>\n
pacman -Sy bash<\/pre>\n
A reboot is not required after the update.<\/p>\n
Resources:<\/p>\n
https:\/\/access.redhat.com\/articles\/1200223<\/a><\/p>\n
http:\/\/www.reuters.com\/article\/2014\/09\/24\/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924<\/a><\/p>\n
http:\/\/seclists.org\/oss-sec\/2014\/q3\/685<\/a><\/p>\n
http:\/\/www.vox.com\/2014\/9\/25\/6843949\/the-bash-bug-explained<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Products Affected: Product\/Channel Fixed in package Remediation details Red Hat Enterprise Linux 7 bash-4.2.45-5.el7_0.2 Red Hat Enterprise Linux Red Hat Enterprise Linux 6 bash-4.1.2-15.el6_5.1 Red Hat Enterprise Linux bash-4.1.2-15.el6_5.1.sjis.1 Red Hat Enterprise Linux bash-4.1.2-9.el6_2.1 Red Hat Enterprise Linux 6.2 AUS bash-4.1.2-15.el6_4.1 Red Hat Enterprise Linux 6.4 EUS Red Hat Enterprise Linux 5 bash-3.2-33.el5.1 Red Hat … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,102],"tags":[],"class_list":["post-679","post","type-post","status-publish","format-standard","hentry","category-administration","category-security"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=679"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/679\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}