critical Bash security issues CVE-2014-6271 / CVE-2014-7169

This forum is dedicated to testing early releases and cauldron : Howtos, tips, tricks and user global feedback and thoughts...

Helpful tip :
For bugs tracking we use : https://bugs.mageia.org = The Mageia Bug Tracker
In this bug tracker you'll find already reported bugs and you'll be able to report those you have found....

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby viking60 » Sep 28th, '14, 04:08

Exploit 1 (CVE-2014-6271)
Code: Select all
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.

Exploit 2 (CVE-2014-7169)

Code: Select all
env var='() {(a)=>\' bash -c "echo date"; cat echo

If the above command outputs the current date (it may also show errors), you are still vulnerable.

Exploit 3 (???)

Here is another variation of the exploit.

Code: Select all
env -i X=' () { }; echo hello' bash -c 'date'

It is bad if this produces "hello"
Image Flexibility is good and inxi is good... install both!
User avatar
viking60
 
Posts: 255
Joined: Mar 19th, '11, 22:26

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby doktor5000 » Sep 28th, '14, 10:12

viking60 wrote:Exploit 3 (???)

Here is another variation of the exploit.

Code: Select all
env -i X=' () { }; echo hello' bash -c 'date'

It is bad if this produces "hello"

That's just a variation of 1, something in the variable definition for X is interpreted ...
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17603
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby pete910 » Sep 29th, '14, 16:47

Received another update to bash, as well as a couple of others, states it is now been fixed
User avatar
pete910
 
Posts: 357
Joined: Jan 8th, '12, 18:53

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby claire » Oct 1st, '14, 13:14

Further bash updates were pushed this morning covering other related CVE's
http://advisories.mageia.org/MGASA-2014-0394.html
Help to make Mageia! Get involved.. Please come and join us
claire
 
Posts: 161
Joined: May 28th, '11, 19:17
Location: UK

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby pete910 » Oct 1st, '14, 13:20

Cheers for the update Claire.
User avatar
pete910
 
Posts: 357
Joined: Jan 8th, '12, 18:53

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby doktor5000 » Oct 1st, '14, 18:20

If anybody else wants to check, here's how to do it using https://github.com/hannob/bashcheck

Code: Select all
[doktor5000@Mageia4 ~]$ wget https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck -O bashcheck.sh && chmod +x bashcheck.sh
--2014-10-01 18:18:45--  https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1375 (1.3K) [text/plain]
Saving to: 'bashcheck.sh'

100%[==============================================================================================================================>] 1,375       --.-K/s   in 0s     

2014-10-01 18:18:45 (49.2 MB/s) - 'bashcheck.sh' saved [1375/1375]


[doktor5000@Mageia4 ~]$ ./bashcheck.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)

Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
[doktor5000@Mageia4 ~]$
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17603
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby dbg » Oct 1st, '14, 20:50

This is what I got running that test. This is after the MGASA-2014-0394 update and rebooting. Using Mageia 3:

Code: Select all
[dennis@noob ~]$ ./bashcheck.sh
Testing /usr/bin/bash ...
GNU bash, version 4.2.50(2)-release (x86_64-mageia-linux-gnu)

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
./bashcheck.sh: line 42: 10722 Segmentation fault      $bash -c "f(){ x(){ _;};x(){ _;}<<a;}"
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
Variable function parser inactive, likely safe from unknown parser bugs
[dennis@noob ~]$


Did the last update not fix CVE-2014-6277 or is there a problem with this bashcheck.sh program?
dbg
 
Posts: 69
Joined: Mar 30th, '11, 22:28
Location: Grants Pass, Oregon

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby doktor5000 » Oct 1st, '14, 21:10

The author added two more CVEs in the last few hours:
https://github.com/hannob/bashcheck/com ... /bashcheck

This is what I got just now, on Mageia 4:
[doktor5000@Mageia4 ~]$ ./bashcheck.sh
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(1)-release (x86_64-mageia-linux-gnu)

Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]
Vulnerable to CVE-2014-6278 (lcamtuf bug #2) [prefix/%%-suffix]

Variable function parser inactive, likely safe from unknown parser bugs


So seems those two issues are not fixed yet. I've reopened https://bugs.mageia.org/show_bug.cgi?id=14193
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17603
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby dbg » Oct 1st, '14, 21:56

With the new bashcheck.sh I get the same result using MGA3.
dbg
 
Posts: 69
Joined: Mar 30th, '11, 22:28
Location: Grants Pass, Oregon

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby doktor5000 » Oct 1st, '14, 22:18

Read the last 3 comments on the bugreports. Yes those vulnerabilities exist (and maybe more will be found in the next days/weeks)
but due to the recently pushed security updates they're not exploitable. A final update for those will be pushed once upstream has fixed those properly ...


For more background information, you may want to check http://seclists.org/fulldisclosure/2014/Oct/9
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17603
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby jiml8 » Oct 7th, '14, 09:54

I am presently on a motorcycle tour in Romania. I just became aware of this issue, and as a consequence at the present time I am upgrading my workstation, working remotely of course. Does anyone know if dd-wrt is affected by this? My router is dd-wrt and it faces the Internet.

I am working on my mobile device, and while I can search the internet and participate in message boards using it is very tedious which is why I'm asking the question here.
jiml8
 
Posts: 1253
Joined: Jul 7th, '13, 18:09

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby pete910 » Oct 7th, '14, 14:39

jiml8 wrote:I am presently on a motorcycle tour in Romania. I just became aware of this issue, and as a consequence at the present time I am upgrading my workstation, working remotely of course. Does anyone know if dd-wrt is affected by this? My router is dd-wrt and it faces the Internet.

I am working on my mobile device, and while I can search the internet and participate in message boards using it is very tedious which is why I'm asking the question here.


Not by the looks of it.

See herehttp://stevejenkins.com/blog/2014/09/is-dd-wrt-vulnerable-to-the-shellshock-bash-bug/
User avatar
pete910
 
Posts: 357
Joined: Jan 8th, '12, 18:53

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby jiml8 » Oct 7th, '14, 19:20

Thanks. Or should I say...multumesc.
jiml8
 
Posts: 1253
Joined: Jul 7th, '13, 18:09

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby crandy2 » Oct 9th, '14, 18:55

I guess I'm missing something. I have a Mageia 4, 64 bit install, and so far have gotten no updates or fixes whatsoever. The version I have is 4.2.45.6, which appears to be out of date. I'm in the US and use dacentec mirror.

Are we supposed to get the fixes for this through the normal update process?
crandy2
 
Posts: 4
Joined: May 15th, '13, 14:25

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby jkerr82508 » Oct 9th, '14, 20:25

What is the result of
Code: Select all
urpmq --sources bash
and
Code: Select all
urpmq --list-media active
Jim
jkerr82508
 
Posts: 946
Joined: Mar 26th, '11, 01:34
Location: Fife, Scotland

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby crandy2 » Oct 9th, '14, 21:45

jkerr82508 wrote:What is the result of
Code: Select all
urpmq --sources bash
and
Code: Select all
urpmq --list-media active
Jim


Code: Select all
[root@localhost randy]# urpmq --sources bash
http://mirror.dacentec.com/mageia/distrib/4/x86_64/media/core/release/bash-4.2-45.6.mga4.x86_64.rpm
[root@localhost randy]# urpmq --list-media active
chrome_x86_64
Core Release
Core Updates
Core Updates Testing
Core Backports
Core Backports Testing
Nonfree Release
Nonfree Updates
Nonfree Backports
Tainted Release
Tainted Updates
Tainted Backports
Core 32bit Release
Core 32bit Updates
Core 32bit Backports
Nonfree 32bit Release
Nonfree 32bit Updates
Nonfree 32bit Backports
Tainted 32bit Release
Tainted 32bit Updates
Tainted 32bit Backports
google-chrome
Last edited by doktor5000 on Oct 11th, '14, 02:59, edited 1 time in total.
Reason: added code tags
crandy2
 
Posts: 4
Joined: May 15th, '13, 14:25

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby pete910 » Oct 9th, '14, 22:09

Thats only showing release repo,

here's the ouput of same command on mine

Code: Select all
urpmq --sources bash
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/release/bash-4.2-45.6.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-48.1.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-49.1.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-50.2.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-53.1.mga4.x86_64.rpm


You seem to have the correct repos added. Are you using the one fixed mirror for all ?
User avatar
pete910
 
Posts: 357
Joined: Jan 8th, '12, 18:53

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby crandy2 » Oct 9th, '14, 22:49

pete910 wrote:Thats only showing release repo,

here's the ouput of same command on mine

Code: Select all
urpmq --sources bash
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/release/bash-4.2-45.6.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-48.1.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-49.1.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-50.2.mga4.x86_64.rpm
ftp://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/4/x86_64/media/core/updates/bash-4.2-53.1.mga4.x86_64.rpm


You seem to have the correct repos added. Are you using the one fixed mirror for all ?


Yes. What should I be doing?
crandy2
 
Posts: 4
Joined: May 15th, '13, 14:25

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby jkerr82508 » Oct 9th, '14, 22:51

The mirror that you are using, dacentec, is hopelessly out of date.
http://mirrors.mageia.org/status
Delete all your sources, except google-chrome, and add an alternative mirror.
(kernel.org is often recommended for North American users)
http://doc.mageia.org/mcc/4/en/content/ ... tml#d4e265

Jim
jkerr82508
 
Posts: 946
Joined: Mar 26th, '11, 01:34
Location: Fife, Scotland

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby crandy2 » Oct 10th, '14, 17:31

jkerr82508 wrote:The mirror that you are using, dacentec, is hopelessly out of date.
http://mirrors.mageia.org/status
Delete all your sources, except google-chrome, and add an alternative mirror.
(kernel.org is often recommended for North American users)
http://doc.mageia.org/mcc/4/en/content/ ... tml#d4e265

Jim



Thank you, that did it.

I had 107 packages to update after switching to kernel.org. That dacentec mirror should be pulled or something.
crandy2
 
Posts: 4
Joined: May 15th, '13, 14:25

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby n00biest » Oct 21st, '14, 14:32

So now that it's over, that we get rid of it, definetely, what should we do first : reset all psswords in a hurry, or reinstall mageia once for all ?
Attachments
_rootkits_tracker_.jpg
_rootkits_tracker_.jpg (65.74 KiB) Viewed 26615 times
User avatar
n00biest
 
Posts: 100
Joined: May 2nd, '12, 19:16
Location: PARIS !

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby doktor5000 » Oct 21st, '14, 21:53

You should at least reinstall 5 times and wipe the harddisk with alternating patterns at least 7 times between each installation.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17603
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: critical Bash security issues CVE-2014-6271 / CVE-2014-7

Postby pete910 » Oct 22nd, '14, 02:28

doktor5000 wrote:You should at least reinstall 5 times and wipe the harddisk with alternating patterns at least 7 times between each installation.



That made me giggle :D
User avatar
pete910
 
Posts: 357
Joined: Jan 8th, '12, 18:53

Previous

Return to Testing : Alpha, Beta, RC and Cauldron

Who is online

Users browsing this forum: No registered users and 1 guest