Serious Bash exploit & fix

There's a bash exploit doing the rounds that is drop-everything serious.

related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name

So, a correctly formed command can be used to execute arbitrary code on an affected system; anything running bash.

The problem is that Bash is probably called by your webserver or scripting language of choice, as this post on Redhat puts it:

CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.

Test this

bealers@server:~$ env x='() { :;}; echo vulnerable' bash -c "test"

Get this output?

vulnerable

Bad.

Fix this (on Debian/Ubuntu a patch is out)

apt-get update && apt-get install --only-upgrade bash

Test this

bealers@server:~$ env x='() { :;}; echo vulnerable' bash -c "test"

Get this output?

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Good.

Notes

This is a moving target, as you can see here, new patches keep coming out. So keep checking to see if there are other proof of concepts or keep checking for new patches by re-running the update & install.

For older versions of debian you may need to do more work, for example on some squeeze servers I had to change my apt-sources to squeeze-lts:

deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

Finally a few useful background threads on HN:

Serious Bash exploit & fix

Comments (0)