Serious Bash exploit & fix

There’s a bash exploit doing the rounds that is drop-everything serious.

The short version is that it is:

related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name

So, a correctly formed command can be used to execute arbitrary code on an affected system; anything running bash.

The problem is that Bash is probably called by your webserver or scripting language of choice, as this post on Redhat puts it:

CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.

Test this

<code>bealers@server:~$ env x='() { :;}; echo vulnerable' bash -c "test"</code>Code language: HTML, XML (xml)

Get this output?

<code>vulnerable</code>Code language: HTML, XML (xml)

Bad.

Fix this (on Debian/Ubuntu a patch is out)

<code>apt-get update && apt-get install --only-upgrade bash</code>Code language: HTML, XML (xml)

Test this

<code>bealers@server:~$ env x='() { :;}; echo vulnerable' bash -c "test"</code>Code language: HTML, XML (xml)

Get this output?

<code>bash: warning: x: ignoring function definition attempt<br>
bash: error importing function definition for `x'</code>Code language: HTML, XML (xml)

Good.

Notes

This is a moving target, as you can see here, new patches keep coming out. So keep checking to see if there are other proof of concepts or keep checking for new patches by re-running the update & install.

For older versions of debian you may need to do more work, for example on some squeeze servers I had to change my apt-sources to squeeze-lts:

<code>deb http://http.debian.net/debian/ squeeze-lts main contrib non-free<br>
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free</code>Code language: HTML, XML (xml)

Finally a few useful background threads on HN:


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *