Diff for "BashFAQ/111"

Differences between revisions 11 and 18 (spanning 7 versions)

What is the Shellshock vulnerability in Bash?

"Shellshock" refers to two remotely-exploitable vulnerabilities in Bash, discovered in September 2014. The first vulnerability exploits the mechanism that Bash used to export and import functions, and allowed arbitrary command execution. The second vulnerability exploits a parser bug and allowed local files to be created.

What these vulnerabilities have in common is that they are triggered by Bash scanning the environment, finding malicious data, and stumbling on it. Malicious data can be inserted into the environment by remote attackers in some system configurations, the most common of which is a web server with CGI capability. Most CGI setups pass along user-supplied data (e.g. HTTP user agent) through the environment.

There are official (i.e. issued by Chet Ramey) patches for Bash which fix the Shellshock vulnerabilities. These patches are available for all Bash versions from 2.05b through 4.3. There is also a third official patch which changes how Bash exports and imports functions through the environment. This third patch is believed to close any and all "tainted environment variable" attacks.

Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.

Other potential problems (parser bugs) were identified during the investigation, but are considered separate from the Shellshock bug. These bugs have no remote exploits (so far as we know). These bugs are currently being patched as well, albeit with less urgency.

Vulnerability Patches
bash43-025	CVE-2014-6271	2014-09-24
bash43-026	CVE-2014-7169	2014-09-26
bash43-027	CVE-2014-6278	2014-09-27
bash43-028	CVE-2014-7186 and CVE-2014-7187	2014-10-01
bash43-029	CVE-2014-6277	2014-10-02

Are my bash binaries fixed?

Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell.

Replace /bin/bash and /usr/local/bin/bash with the paths to the bash binaries you have installed/want to test in the for-loop below.

for s in /bin/bash /usr/local/bin/bash ; do
  VAR='() { :;};x=FAIL' "$s" -c 'printf "%-20s CVE-2014-6271 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
  VAR='() {}>\' "$s" -c '/dev/null x=FAIL;printf "%-20s CVE-2014-7169 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
done 2>/dev/null

The output will look something like this:

3.2.48(1)-release    CVE-2014-6271 FAIL (/bin/bash)
3.2.48(1)-release    CVE-2014-7169 FAIL (/bin/bash)
4.3.27(1)-release    CVE-2014-6271 OK   (/usr/local/bin/bash)
4.3.27(1)-release    CVE-2014-7169 OK   (/usr/local/bin/bash)

This shows that /usr/local/bin/bash is at version 4.3.27 and patched for both of the issues, while /bin/bash is at version 3.2.48 and fails both (meaning it is vulnerable).

A more comprehensive script called bashcheck is available. In addition to the two above mentioned vulnerabilities, it is able to test for a few others that have since been discovered. Note, however, that these additional vulnerabilities are distinct from Shellshock and are not currently known to be exploitable.

-  ⇤ ← Revision 11 as of 2014-09-29 18:44:55 → 
  Size: 4570
  Editor: geirha
  Comment: Code block to test for vulnerable bash binaries
+   ← Revision 18 as of 2014-10-09 20:04:09 → ⇥
  Size: 6951
  Editor: GreyCat
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 3:
+"Shellshock" refers to two remotely-exploitable vulnerabilities in Bash, discovered in September 2014. The first vulnerability exploits the mechanism that Bash used to export and import functions, and allowed arbitrary command execution. The second vulnerability exploits a parser bug and allowed local files to be created.
-Line 4:
+Line 5:
-As of this writing (September 27th, 2014),
the situation with Shellshock is changing so rapidly
that you're probably better off
using your preferred search engine instead of this FAQ.
For example,
you could search a news site for
recent items which contain the word "Shellshock".
+What these vulnerabilities have in common is that they are triggered by Bash scanning the environment, finding malicious data, and stumbling on it. Malicious data can be inserted into the environment by remote attackers in some system configurations, the most common of which is a web server with CGI capability. Most CGI setups pass along user-supplied data (e.g. HTTP user agent) through the environment.
-Line 12:
+Line 7:
-A quick summary is this:
 * The most recent updates should now fix all known Shellshock-related vulnerabilities.
 * Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
 * Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug.
+There are official (i.e. issued by Chet Ramey) patches for Bash which fix the Shellshock vulnerabilities. These patches are available for all Bash versions from 2.05b through 4.3. There is also a third official patch which changes how Bash exports and imports functions through the environment. This third patch is believed to close any and all "tainted environment variable" attacks.

Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.

Other potential problems (parser bugs) were identified during the investigation, but are considered separate from the Shellshock bug. These bugs have no remote exploits (so far as we know). These bugs are currently being patched as well, albeit with less urgency.
||||||<style="text-align:center">'''Vulnerability Patches''' ||
||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025|bash43-025]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271|CVE-2014-6271]] ||2014-09-24 ||
||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026|bash43-026]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169|CVE-2014-7169]] ||2014-09-26 ||
||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027|bash43-027]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278|CVE-2014-6278]] ||2014-09-27 ||
||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-028|bash43-028]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186|CVE-2014-7186]] and [[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187|CVE-2014-7187]] ||2014-10-01 ||
||[[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-029|bash43-029]] ||[[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277|CVE-2014-6277]] ||2014-10-02 ||
-Line 18:
+Line 23:
 Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell.
-Line 29:
+Line 33:
+The output will look something like this:
-Line 30:
+Line 35:
-The output will look something like this:
-Line 37:
+Line 41:
-Line 40:
+Line 43:
+A more comprehensive script called [[https://github.com/hannob/bashcheck|bashcheck]] is available. In addition to the two above mentioned vulnerabilities, it is able to test for a few others that have since been discovered. Note, however, that these additional vulnerabilities are distinct from Shellshock and are not currently known to be exploitable.
-Line 41:
+Line 45:
-After things stabilize a bit,
this FAQ page should be updated with a better summary.
For information about specific vulnerabilities related to Shellshock,
you may find better results by searching for terms such as
"CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".
+=== Further reading ===
After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".
-Line 47:
+Line 48:
-In the meantime,
here are a few links that should help you get started:
+In the meantime, here are a few links that should help you get started:
 Line 50:
- * [[http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/|ZDNet: the latest patches do fix all known Shellshock issues]]
+ * [[http://www.dwheeler.com/essays/shellshock.html|Summary and timeline by David A. Wheeler, a security researcher working on Shellshock]]
 * [[https://shellshocker.net/|"shellshocker.net", an online tool for testing if a system is vulnerable]]
-Line 53:
+Line 54:
- * [[https://shellshocker.net/|"shellshocker.net", and online tool for testing if a system is vulnerable]]
 * [[https://access.redhat.com/articles/1200223|Summary article from RedHat on how to determine if a system is vulnerable]]
 * [[http://learning.criticalwatch.com/shellshock/|Critical Watch page on Shellshock]]
-Line 59:
+Line 57:
-Line 60:
+Line 59:
+ * [[http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/|ZDNet: the latest patches do fix all known Shellshock issues]]
 * [[https://access.redhat.com/articles/1200223|Summary article from RedHat on how to determine if a system is vulnerable]]
 * [[http://learning.criticalwatch.com/shellshock/|Critical Watch page on Shellshock]]
-Line 65:
+Line 67: