upgrade your bash

| | Comments (0)
I've been busy.  On the upside?  our ansible setup mostly works now.   we got hit with the bash upgrade, and fortunately I noticed a few hours after the embargo was up, and I think had everything patched within a few hours:

http://seclists.org/oss-sec/2014/q3/650

and... yeah, then the next day? 

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7169

I've upgraded all the prgmr.com infrastructure twice now.  


Now, you need to do the same thing.   at a minimum:

'yum upgrade bash' 

or on debian,

'apt-get update && apt-get install --only-upgrade bash'


if you are on something crusty and ancient like etch, you might need to build/patch bash for yourself.  the following worked for me

https://gist.github.com/cjs/3e11f044516fef7b0c8e



How do you test?  

try the following:

lsc@before-patch:~$ env x='() { :;}; echo vulnerable' bash -c echo
vulnerable


obviously, the above host is vulnerable.   after patching, it will look something like this:

 
lsc@after-patch:~$ env x='() { :;}; echo vulnerable' bash -c echo
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'



edit:  IMPORTANT  that only covers you from the first hole.  note, the

    for i in $(seq -f "%03g" 1 18); do

in that file.  change the 18 to 19 to get the latest patch


   for i in $(seq -f "%03g" 1 19); do


like that, and re-run it. 

test for the new patch:

lsc@host:~$ export X="() { (a)=>\\"
lsc@billing-internal:~$ bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
lsc@host:~$ cat echo
Fri Sep 26 21:38:49 UTC 2014


that means it's vulnerable.  So I re-compile, like I said, adding in patch 19, re-install and

lsc@host:~$ rm echo
lsc@host:~$ export X="() { (a)=>\\"
lsc@host:~$ bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date
lsc@host:~$ cat echo
cat: echo: No such file or directory

Leave a comment

About this Entry

This page contains a single entry by luke published on September 26, 2014 12:02 AM.

Scheduled Downtime halter.prgmr.com & council.prgmr.com - Sat, 12 July 2014 20:00:00 -0700 was the previous entry in this blog.

prgmr.com now on xen hypervisor pre-disclosure list is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.