sys·ad·min·ol·o·gy [sis-ad-mih-nol-uh-jee]

noun

  1. The scientific study of system administration and related phenomena.

Thursday, 25 September 2014

Shellshock vulnerability on Gentoo and Debian - CVE-2014-6271, CVE-2014-7169, CVE-2014-7187, CVE-2014-7186, CVE-2014-6277 annnnnnnddd..... CVE-2014-6278!

So like a lot of sysadmins out there today I've been updating a cocktail* of distributions to mitigate against the shellshock vulnerability in bash (CVE-2014-6271 and CVE-2014-7169).

*cocktail is an exaggeration, its more a cocktail of versions of distributions

First, we'll deal with my distribution of the day, Gentoo!

Shellshock mitigation on Gentoo

  1. First, make sure you

    emerge --sync

    to get the latest version of the portage tree
  2. Then very simply:

    emerge -vat bash

    Drop the -a if you don't want it to confirm the install. Very useful for automated or scripted installs.

Shellshock mitigation on Debian

This is also pretty straight forward, but it does depend on the version of Debian you are running.
If you are on Wheezy (7.x) then its very simple:

  1. apt-get update
  2. apt-get install bash

If you are on an earlier version (6.x or squeeze for example) then its a little more involved. Using this StackExchange question as a guide, specifically, the answer by drs.

  1. Add this to your /etc/apt/sources.list

    deb http://http.debian.net/debian squeeze-lts main contrib non-free
    deb http://http.debian.net/debian squeeze-lts main contrib non-free
  2. Now update with

    apt-get update
  3. Then install the new version of bash

    apt-get install -t squeeze-lts --only-upgrade bash

Testing its worked

This command will return "vulnerable" if.... well.... guess! :D

env x='() { :;}; echo vulnerable' bash -c echo;There is also a neat python script written by SleepProgger which will accept a web address and tell if an vulernability exists

Additional tests to perform

Here are some more tests that have emerged since the discovery of CVE-2014-6271.

To check for CVE-2014-7169

cd /tmp; env X='() { (a)=>\' bash -c "echo date"; cat echo

This should show the literal "date", before complaining something like "cat: echo: no such file or directory" This tests for CVE-2014-7169. One warning however: If it fails it will create (or potentially overwrite) a file called /tmp/echo. You will need to delete that file before testing again

To check for CVE-2014-7187

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

This should NOT display the text "CVE-2014-7187 vulnerable, word_lineno"

To check for CVE-2014-7186

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"



This should NOT display "CVE-2014-7186 vulnerable, redir_stack"

Update

More vulnerabilities based on the original have been found!

You can check for CVE-2014-6277 and CVE-2014-6278 with the following command:

foo='() { echo not patched; }' bash -c foo

If it returns "not patched" then you are vulnerable.

Gentoo users need to update to bash 4.2.50

Debian users need to update to bash 4.1.5(1)

There's more on these two vulnerabilities (CVE-2014-6277 and CVE-2014-6278) on this blog post.

Also for those of you that are interested, I found this post which is a very simple way of exploiting any of the vulnerabilities mentioned above. https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept .... and you thought heartbleed was scary!




No comments:

Post a Comment