Bealers.com Geeking Out Since 1998

Serious Bash exploit & fix

S

There’s a bash exploit doing the rounds that is drop-everything serious.

The short version is that it is:

related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name

So, a correctly formed command can be used to execute arbitrary code on an affected system; anything running bash.

The problem is that Bash is probably called by your webserver or scripting language of choice, as this post on Redhat puts it:

CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.

Test this

bealers@server:~$ env x='() { :;}; echo vulnerable' bash -c "test"

Get this output?

vulnerable

Bad.

Fix this (on Debian/Ubuntu a patch is out)

apt-get update && apt-get install --only-upgrade bash

Test this

bealers@server:~$ env x='() { :;}; echo vulnerable' bash -c "test"

Get this output?

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Good.

Notes

This is a moving target, as you can see here, new patches keep coming out. So keep checking to see if there are other proof of concepts or keep checking for new patches by re-running the update & install.

For older versions of debian you may need to do more work, for example on some squeeze servers I had to change my apt-sources to squeeze-lts:

deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Finally a few useful background threads on HN:

About the author

bealers

Hi, I'm Bealers and I use this blog to share some of the things I learn whilst I'm on my journey. If you're new to the site then you might want to start here. The best place to find me is on Instagram.

By bealers
Bealers.com Geeking Out Since 1998

Stay up to date

Occasionally I send out an email to members of my mailing list, if you'd like to be included then please enter your details below.