[Server-devel] Fixing the Shellshocker bash exploit on the old FC9 based XS 0.6

Anna aschoolf at gmail.com
Fri Sep 26 19:38:52 EDT 2014


I think my XS 0.6 is all patched now, at least for the current known
vulnerabilities.  Here's my current bash version, making sure it got
updated everywhere:

[root at schoolserver ~]# bash --version
GNU bash, version 4.3.26(1)-release (i686-pc-linux-gnu)

[root at schoolserver ~]# /bin/bash --version
GNU bash, version 4.3.26(1)-release (i686-pc-linux-gnu)

[root at schoolserver ~]# /usr/local/bin/bash --version
GNU bash, version 4.3.26(1)-release (i686-pc-linux-gnu)

[root at schoolserver ~]# /bin/sh --version
GNU bash, version 4.3.26(1)-release (i686-pc-linux-gnu)


The tests (pasted from the shellshocker.net site) and my results:

**********************************
Exploit 1 (CVE-2014-6271)

There are a few different ways to test if your system is vulnerable to
shellshock. Try running the following command in a shell.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see "vulnerable" you need to update bash. Otherwise, you should be
good to go.

-----------------
[root at schoolserver ~]# env x='() { :;}; echo vulnerable' bash -c "echo this
is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

**********************************
Exploit 2 (CVE-2014-7169)

Even after upgrading bash you may still be vulnerable to this exploit. Try
running the following code.

env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo

If the above command outputs the current date (it may also show errors),
you are still vulnerable.

-----------------
[root at schoolserver ~]# env X='() { (a)=>\' bash -c "echo date"; cat echo ;
rm -f echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date
cat: echo: No such file or directory

**********************************
Exploit 3 (???)

Here is another variation of the exploit. Please leave a comment below if
you know the CVE of this exploit.

env -i X=' () { }; echo hello' bash -c 'date'

If the above command outputs "hello", you are vulnerable.

-----------------
[root at schoolserver ~]# env -i X=' () { }; echo hello' bash -c 'date'
Fri Sep 26 18:18:24 CDT 2014


Anna Schoolfield
Birmingham


On Fri, Sep 26, 2014 at 3:14 AM, James Cameron <quozl at laptop.org> wrote:

> On Thu, Sep 25, 2014 at 06:04:45PM -0500, Anna wrote:
> > I just patched my XS 0.6 with this:
> >
> > curl -k https://shellshocker.net/fixbash | sh
>
> For me, one of these uncontrolled non-versioned scripts ended up
> building /usr/local/bin/bash and the system bash remained in use.
>
> Worth checking in case you hit that one.
>
> --
> James Cameron
> http://quozl.linux.org.au/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/server-devel/attachments/20140926/b6905404/attachment.html>


More information about the Server-devel mailing list