Bash bug can let others take over your computer

[viking60]

RedHat has discovered a weakness in Bash and the way it treats variables.
This weakness allows code injection attacks.

the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked

This has been a part of bash all the time so this has been possible all the time.

There are no known examples of this having been exploited.
But considering that most routers are using Linux and that most "state security agencies" wants to control the internet; this has probably already been (ab)used by ISP's to assist the police and national security agencies.

Now this will be patched and that will take care of Desktop Linux users, Servers and Mac OSX users.

To see if your system is vulnerable
you can run this code

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

It will produce:

Code: Select all

vulnerable
this is a test

After your system has been patched it will produce something like:

Code: Select all

bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

The "internet of things" where your refrigerator and you surveillance camera is hooked up to the internet or your Tesla Electric car which can be remote controlled by a smartphone App: is another matter...
It depends on when and if the software gets updated.

If your cameras, cars,TV's, light-switches, or refrigerators are not hooked up to the internet there is nothing to worry about.

more here

[viking60]

On my Centos 6,5 I did a:

Code: Select all

sudo yum update

And after that it was patched

Code: Select all

viking@centos6> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

So even if it has problems starting the network there are good reasons to use Centos since RedHat do have their back.
Debian confirms it's reliability too; after the update it was patched
Mageia is patched too So they are keeping their credibility as a server distro

Manjaro is not patched yet (but it is in the unstable and testing repos so it will come shortly), neither is Arch who is also/mainly working on it...

This is one of the rare occasions where Arch is not the first.

[viking60]

It turns out that the patch is incomplete so we are not in the clear yet:

Red Hat has become aware that the patches shipped for this issue are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. For details on a workaround, see: https://access.redhat.com/articles/1200223

And did I mention that this affects "clouds" too? You know those things in the sky that Microsoft Apple and IBM swear that you can trust?

viewtopic.php?f=3&t=3437&p=19105&hilit=clouds#p19105

The attention this is getting will make this bug relatively "harmless" though. If someone injects code; they can be traced and caught so with the attention this has at the moment - that would be an incredibly stupid move.

The press will be feasting on "huge threat" and "worse than WW2" headlines though - and make a nice buck out of this
It looks very dangerous and official here.

With some phantasy it is possible to create some dark scenarios here so they can keep at it for a few days; at which point this weakness will be fixed.

Those RedHat guys are pretty clever...

https://bugzilla.redhat.com/show_bug.cgi?id=1146319

PS SInce I started writing this thread; both Arch and Manjaro are patched with the original patch too.
So the Linux world is reacting - fast

[Snorkasaurus]

EDIT: Bah! Too soon. See link here.

Thanks v60! I can confirm that

Code: Select all

apt-get update
apt-get upgrade

works on Debian Wheezy.

S.

[viking60]

Yes Debian is rock solid.
Why don't you use aptitude - that is the Debian standard I believe?

[Snorkasaurus]

Why don't you use aptitude - that is the Debian standard I believe?

Mostly habit I guess. I don't know of any significant advantage to aptitude, though there may be one/some. They both come with the default install of Debian and my understanding is that aptitude is really just a front end for apt-get anyways.
S.

[viking60]

Yes I think that is correct.

Regarding this Shellshock bug in bash I must admit that it is/was (depending on what vulnerabilities were left after the patch) pretty serious.
It is super easy to exploit so any script kid can mess around with it.
If

Code: Select all

env -i X=' () { }; echo hello' bash -c 'date'

shows "hello" then there still is a vulnerability.

If

Code: Select all

env var='() {(a)=>\' bash -c "echo date"; cat echo

shows the date there still is a vulnerability.

Manjaro Debian and Arch seem to be in the clear...

[Snorkasaurus]

Yeppers... even after an apt-get upgrade I am still getting

Code: Select all

date
Sat Sep 27 18:53:39 EDT 2014

on the second one on Wheezy.

S.

[viking60]

That is strange.
It must be a matter of mirrors not being synced all over the globe - it is OK here
I have Debian 7 (wheezy).
Do the apt-get update and upgrade thing often - I bet there will be a Bash update soon...
My Bash version:

Code: Select all

vikingd@debianvb:~$ bash --version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


And here is my output - no date there.

Code: Select all

viking@debianvb:~$ env var='() {(a)=>\' bash -c "echo date"; cat echo
date
cat: echo: No such file or directory


I do have Apache and PHP installed and running.

I do get the date in Manjaro and Arch though checking Centos...

Centos 6.5 is good

The original shellshock - now patched - in most distros - has already been tried in an attack

One sample is a repurposed IRC bot written in Perl that is trying to build a botnet to be used in distributed denial of service attacks (DDoS), said Jaime Blasco, director of AlienVault Labs. So far, he said, there are 715 victims and there are phrases written in Romanian in the source code. -

See more here

[Snorkasaurus]

Strange...

Code: Select all

GNU bash, version 4.2.37(1)-release (i486-pc-linux-gnu)

and mine still gives the date.

All I really have on mine is dnsmasq and asterisk.

S.

[viking60]

Hmm
Here is my inxi -r

Code: Select all

viking@debianvb:~$ inxi -r
Repos:     Active apt sources in file: /etc/apt/sources.list
           deb http://ftp.no.debian.org/debian/ wheezy main
           deb-src http://ftp.no.debian.org/debian/ wheezy main
           deb http://security.debian.org/ wheezy/updates main
           deb-src http://security.debian.org/ wheezy/updates main
           deb http://ftp.no.debian.org/debian/ wheezy-updates main
           deb-src http://ftp.no.debian.org/debian/ wheezy-updates main
           deb http://download.webmin.com/download/repository sarge contrib
           deb http://debian.saltstack.com/debian wheezy-saltstack main


I kind of doubt that yours is much different though. So this is a mystery.
This vulnerability is not as grave as the original shellshock this one is the backshlash bug so you need not worry to much.

[Snorkasaurus]

I don't have inxi on my box(es) but I am essentially only using cdn.debian.net and security.debian.org on mine. I was kind of wondering if your x64 difference had anything to do with it.

S.