[mdlug] shellshock

Michael Mikowski z_mikowski at yahoo.com
Sat Sep 27 21:17:49 EDT 2014 

I wrote this for work and others here may find it useful.

If you have an unsupported OS (like an old web server) that is difficult to upgrade, you may want to recompile bash instead as illustrated below.  That's what I did.


----------------------------------------------------

The ShellShock bug, which you've probably heard about by now is a big deal. 

Remember all those drive-by Windows viruses that would install themselves if you visited a web page?  Yeah, well not that bad (what was Bill smoking?). But it's pretty bad, especially if you run Bash scripts through a web server - which affects just about all OSX and Linux machines - even those that are considered "personal" laptops and desktops.

You can see if your system is vulnerable by opening a Terminal window
and pasting the following line into it and pressing return:

  $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you don't see vulnerable as part of your output you can stop reading now as your system is not, um, vulnerable.

But if you do see vulnerable then the problem should be fixed ASAP.  Your first move should be to ensure your OS is completely up to date.  So please apply any pending updates and test again.  If you don't see vulnerable again, your are in the clear and you can stop reading here.

If you still see the problem, then we need to patch the vulnerability. Don't do this if you feel uncomfortable with these commands though - get a techie to help.  Buy him or her lunch or something ;)

The commands to compile and replace your copy of bash follow. These are confirmed on a Linux Ubuntu system with build-essential meta package installed.  It may need to vary on other OSs.

  $ cd; mkdir src; cd src
  $ wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
  $ # download all patches
  $ for i in $(seq -f "%03g" 0 26); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done 
  $ tar zxvf bash-4.3.tar.gz
  $ cd bash-4.3
  $ # apply all patches
  $ for i in $(seq -f "%03g" 0 26);do patch -p0 < ../bash43-$i; done
  $ # build and install
  $ ./configure --prefix=/ && make
  $ # if you see no errors, continue
  $ sudo make install
  $ ls -l $(which bash) # should show a file with current date
  $ # Rerun the test; if it passes, you can remove the source 
  $ cd ~; rm -r src 

Original source link:
http://superuser.com/questions/816787



On Saturday, September 27, 2014 3:39 AM, Carl T. Miller <carl at carltm.com> wrote:
 


Garry Stahl wrote:
>
> On 09/26/2014 02:30 PM, Carl T. Miller wrote:
>> env x='() { :;}; echo -n NOT\ ' bash -c 'echo safe from shellshock'
> Is this the result you are suppose to get?  I ran updates last night
> before I even saw the news.
>
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> safe from shellshock

Yes, you can ignore the first two lines that are errors,
and it says "safe from shellshock".  You're good.


c


_______________________________________________
mdlug mailing list
mdlug at mdlug.org
http://mdlug.org/mailman/listinfo/mdlug

More information about the mdlug mailing list