BASH Fix

From Indie IT Wiki
Jump to: navigation, search

BASH SHELLSHOCK REMOTE CODE EXECUTION VULNERABILITY CVE-2014-6271

Introduction

http://www.ubuntu.com/usn/usn-2362-1/

A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large.

It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway. It's essential you check the shell interpreters you're using, and any Bash packages you have installed, and patch if necessary.

The Security Patch for CVE-2014-7169 has been released as a standard security update. There is no need to add additional ppa's to receive this patch. Only the following is needed.

To ensure you have patched bash correctly, run the following command...

dpkg -s bash | grep Version

If you are on Ubuntu 14.04 LTS, you should see an output of:

Version: 4.3-7ubuntu1.4

If you are on Ubuntu 12.04 LTS, your output should be:

Version: 4.2-2ubuntu2.3

If you are on Ubuntu 10.04 LTS, your output should be:

Version: 4.1-2ubuntu3.1

If you are on Raspbian GNU/Linux 7 (wheezy), your output should be:

Version: 4.2+dfsg-0.1+deb7u3

Instructions

Centos

sudo yum update
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version

Red Hat

sudo yum update
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version

Debian

sudo apt-get update
sudo apt-get install --only-upgrade bash
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version

Raspian (Raspberry Pi)

sudo apt-get update
sudo apt-get install --only-upgrade bash
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version

Ubuntu

sudo apt-get update
sudo apt-get install --only-upgrade bash
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version
dpkg -s bash | grep Version

Ubuntu 10.10 11.04 12.10 13.04 13.10

USE THIS AT YOUR OWN RISK. IT WORKS BUT YOU SHOULD REALLY UPGRADE YOUR DISTRO!!!

Also, I found that you had to find the .deb file and install it again, because it would display errors and get confused about versions and not fully finish the update...

dpkg -s bash | grep Version
  Version: 4.3-7ubuntu1.4
  Config-Version: 4.2-5ubuntu3

So, we find the .deb file and run the debian installer again...

sudo dpkg -i /var/cache/apt/archives/bash_4.3-7ubuntu1.4_amd64.deb
(Reading database ... 131036 files and directories currently installed.)
Preparing to replace bash 4.3-7ubuntu1.4 (using .../bash_4.3-7ubuntu1.4_amd64.deb) ...
Unpacking replacement bash ...
Setting up bash (4.3-7ubuntu1.4) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode
Processing triggers for install-info ...

...and now we get no errors...

dpkg -s bash | grep Version
  Version: 4.3-7ubuntu1.4

OK? Now read on...

LATEST: 2014-09-28

I have successfully downloaded and installed JUST the .deb file without having to edit the sources list from the ORIGINAL LINK below.

Here is the procedure with my notes...

1. Check to see what architecture your system is using (either amd64 or i686)...

sudo uname -a

2. Download the currently installed version of BASH as a Debian Package file (.deb) into the directory you are in...

sudo aptitude download bash

3. Download the new version of BASH from the Ubuntu web site (this example is amd64)...

sudo wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6414574/+files/bash_4.3-7ubuntu1.4_amd64.deb

4. Perform a test of installing the new version of BASH using that downloaded file and check for any errors...

sudo dpkg -i --simulate bash_4.3-7ubuntu1.4_amd64.deb

5. If all is well, now install the new version of BASH...

sudo dpkg -i bash_4.3-7ubuntu1.4_amd64.deb

6. Confirm the new version...

sudo dpkg -s bash |grep Version

7. Confirm the vulnerability test passes...

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"

8. Restart all services that use BASH (as needed on your system)...

sudo service ssh restart
sudo service apache2 restart
sudo service dhcpd restart

9. Breath sigh of relief :)

ORIGINAL LINK

http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/

Gentoo

su - root

All Bash 3.1 users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p18"
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version
  

All Bash 3.2 users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p52"
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version

All Bash 4.0 users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p39"
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version
  

All Bash 4.1 users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p12"
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version
  

All Bash 4.2 users should upgrade to the latest version:

emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48"
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version 

HOWEVER, IF YOUR GENTOO PORTAGE TREE IS VERY OLD, OR YOU DO NOT WANT TO UPDATE ALL YOUR SOFTWARE

su - root
mkdir -p /usr/local/portage/app-shells/bash
cd /usr/local/portage/app-shells/bash
wget -O bash-4.2_p48-r1.ebuild http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-shells/bash/bash-4.2_p48-r1.ebuild?revision=1.4
cp -avrf /usr/portage/app-shells/bash/files .
cd files/
wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-execute-job-control.patch
wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-parallel-build.patch
wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-no-readline.patch
wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-read-retry.patch
wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-4.2-speed-up-read-N.patch
wget http://mirrors.163.com/gentoo-portage/app-shells/bash/files/bash-eol-pushback.patch
chown portage:portage bash*
eix-update
cd ..
ebuild bash-4.2_p48-r1.ebuild digest
emerge --fetchonly --verbose --update app-shells/bash
eix -I bash
emerge --ask --oneshot --verbose --update app-shells/bash
eix -I bash
env x='() { :;}; echo vulnerable' bash -c 'echo completed'
bash --version

And, if necessary restart the services which may use BASH...

/etc/init.d/sshd restart
/etc/init.d/apache2 restart
/etc/init.d/dhcpd restart

Links

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

https://forums.gentoo.org/viewtopic-t-1000670.html

http://packages.gentoo.org/package/app-shells/bash

INVALID STRANGE CHARACTERS IN OUTPUT OF A CRON JOB

Add the following to your crontab file, or the file /etc/environment...

LANG=en_GB.UTF-8

Thanks to LogikDevelopment

SSH: stdin: IS NOT A tty

Put this line at the top of your ~/.bashrc

if [ $(expr index "$-" i) -eq 0 ]; then
   return
fi