Differences between revisions 11 and 12
Revision 11 as of 2014-09-29 18:44:55
Size: 4570
Editor: geirha
Comment: Code block to test for vulnerable bash binaries
Revision 12 as of 2014-09-29 19:15:35
Size: 5051
Editor: cpc16-enfi16-2-0-cust765
Comment: Added link to bashcheck testing script and some accompanying commentary
Deletions are marked like this. Additions are marked like this.
Line 40: Line 40:
A more comprehensive script called [[https://github.com/hannob/bashcheck|bashcheck]] is available. In addition to the two above mentioned vulnerabilities, it is able to test for a few others that have since been discovered. Note, however, that these additional vulnerabilities are distinct from Shellshock and are not currently known to be exploitable. At the time of writing, the latest version of bash - bash43-027 - does not have a fix for CVE-2014-7186 (the redir_stack bug).

What is the Shellshock vulnerability in Bash?

As of this writing (September 27th, 2014), the situation with Shellshock is changing so rapidly that you're probably better off using your preferred search engine instead of this FAQ. For example, you could search a news site for recent items which contain the word "Shellshock".

A quick summary is this:

  • The most recent updates should now fix all known Shellshock-related vulnerabilities.
  • Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
  • Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug.

Are my bash binaries fixed?

Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell.

Replace /bin/bash and /usr/local/bin/bash with the paths to the bash binaries you have installed/want to test in the for-loop below.

for s in /bin/bash /usr/local/bin/bash ; do
  VAR='() { :;};x=FAIL' "$s" -c 'printf "%-20s CVE-2014-6271 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
  VAR='() {}>\' "$s" -c '/dev/null x=FAIL;printf "%-20s CVE-2014-7169 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
done 2>/dev/null

The output will look something like this:

3.2.48(1)-release    CVE-2014-6271 FAIL (/bin/bash)
3.2.48(1)-release    CVE-2014-7169 FAIL (/bin/bash)
4.3.27(1)-release    CVE-2014-6271 OK   (/usr/local/bin/bash)
4.3.27(1)-release    CVE-2014-7169 OK   (/usr/local/bin/bash)

This shows that /usr/local/bin/bash is at version 4.3.27 and patched for both of the issues, while /bin/bash is at version 3.2.48 and fails both (meaning it is vulnerable).

A more comprehensive script called bashcheck is available. In addition to the two above mentioned vulnerabilities, it is able to test for a few others that have since been discovered. Note, however, that these additional vulnerabilities are distinct from Shellshock and are not currently known to be exploitable. At the time of writing, the latest version of bash - bash43-027 - does not have a fix for CVE-2014-7186 (the redir_stack bug).

After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".

In the meantime, here are a few links that should help you get started:


CategoryShell

BashFAQ/111 (last edited 2014-10-09 20:04:09 by GreyCat)