Remote Exploit Vulnerability Found In Bash

machinebacon · posted: 2014-09-25 06:40

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://seclists.org/oss-sec/2014/q3/650"
linktext was:"http://seclists.org/oss-sec/2014/q3/650"
====================================

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://lists.debian.org/debian-security-announce/2014/msg00220.html"
linktext was:"https://lists.debian.org/debian-securit ... 00220.html"
====================================

Debian and other GNU/Linux vendors plan to disclose a critical,
remotely exploitable security vulnerability in bash this week, related
to the processing of environment variables. Stephane Chazelas
discovered it, and CVE-2014-6271 has been assigned to it.

Alanarchy · posted: 2014-09-25 14:21

I just read it here.

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://tinyurl.com/k744q7m"
linktext was:"http://tinyurl.com/k744q7m"
====================================

It's been estimated that the bug has been present for at least a decade and most likely longer.

anticapitalista · posted: 2014-09-25 14:42

Thanks for the links. bash got upgraded today on my box.

Alanarchy · posted: 2014-09-25 15:13

Mine too now I'm in antix __{{emoticon}}__

bbwf · posted: 2014-09-25 21:32

Better be vigilant and format the drive and reinstall...... every three months.

Lately I've been getting e-mails from people I know that contain links of web pages to visit.
Then, wham, infection........ so covert

What else is going on that we don't know about?

rokytnji · posted: 2014-09-25 23:17

Code: Select all

~$  env X="() { :;} ; echo vulnerable" /bin/sh -c"echo safe"
safe

I'm cool. __{{emoticon}}__

worktowork · posted: 2014-09-27 17:27

From

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://lists.debian.org/debian-security-announce/2014/msg00220.html"
linktext was:"https://lists.debian.org/debian-securit ... 00220.html"
====================================

I must have bash

For the stable distribution (wheezy), this problem has been fixed in
version 4.2+dfsg-0.1+deb7u1

I have bash version : 4.2+dfsg-0.1+deb7u3 , so is it enough for security ?

male · posted: 2014-09-27 18:50

worktowork wrote:I have bash version : 4.2+dfsg-0.1+deb7u3 , so is it enough for security ?

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://en.wikipedia.org/wiki/Shellshock"
linktext was:"http://en.wikipedia.org/wiki/Shellshock"
====================================
_(software_bug

Alanarchy · posted: 2014-09-28 11:17

Roky gave us the code to check our systems. Just paste into Roxterm:

Code: Select all

~$  env X="() { :;} ; echo vulnerable" /bin/sh -c"echo safe"

and if it gives you"Safe" then you're safe.

jdmeaux1952 · posted: 2014-09-28 12:06

Hurrah for Roky!

male · 28 Sep 2014, 15:18 #11 2014-09-28 15:18

and what is with

Code: Select all

$ env X='() { (a)=>\' sh -c"echo date"; cat echo

male wrote:

__{{emoticon}}__

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7169"
linktext was:"http://en.wikipedia.org/wiki/Shellshock ... -2014-7169"
====================================

wildstar84 · posted: 2014-10-01 21:10

It does not as yet appear fixed in stable/Wheezy for MX-13 (no bash upgrades have shown up recently & the test code above fails)

Dave · posted: 2014-10-01 21:55

Did you apt-get update or reload in synaptic?
If so maybe post your sources here... inxi -r maybe?

wildstar84 · posted: 2014-10-02 04:06

Yes, I did refresh & here are the sources:

deb
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://antix.daveserver.info/stable"
linktext was:"http://antix.daveserver.info/stable"
====================================
stable main
deb
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://ftp.us.debian.org/debian"
linktext was:"http://ftp.us.debian.org/debian"
====================================
wheezy non-free contrib main
deb
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://security.debian.org"
linktext was:"http://security.debian.org"
====================================
wheezy/updates non-free contrib main
deb-src
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://ftp.us.debian.org/debian"
linktext was:"http://ftp.us.debian.org/debian"
====================================
wheezy non-free contrib main
deb
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://ftp.us.debian.org/debian"
linktext was:"http://ftp.us.debian.org/debian"
====================================
wheezy-backports non-free contrib main
deb
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.deb-multimedia.org"
linktext was:"http://www.deb-multimedia.org"
====================================
wheezy non-free main

Dave · posted: 2014-10-02 11:49

Well the only difference between my sources and yours are the deb-src, multimedia, and back ports are enabled.
Maybe try commenting them and reloading.

Other than that all I can think of is that you are still holding an old bash session and need to start a new session. I did a reboot to make sure everything was using a new session of bash.

Perhaps you could do a bash --version or dpkg --list | grep"bash" to find which bash version you have?