Wednesday, October 08, 2014

The Shellshock Security Exploits CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169


Computerphile: Shellshock

There has been much press speak about an astonishingly simple security error in the bash  (Bourne Again SHell) UNIX command line interpreter.

bash is the default command line prompt/ interpreter for Linux computers and present on most UNIX computers or Apple OSX.  bash is also present on Smartphone Operating systems like Apple iOS and Google's Android.

Worse, since Linux today underpins many consumer electronics devices, bash may also be embedded somewhere into programs that are run on those systems.

This is a simple post where I updated my Centos Linux systems to become protected.  It takes only a few seconds and it is on online fix  (no need for a reboot of the computer)


Description
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Testing The Exploit

cd /tmp;rm echo 2>/dev/null
X='() { function a a>\' bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
    echo -e "\033[91mVulnerable to CVE-2014-7169 (taviso bug)\033[39m"
else
    echo -e "\033[92mNot vulnerable to CVE-2014-7169 (taviso bug)\033[39m"
fi


env x='() { :;}; echo vulnerable' bash -c "echo this is a test of Shellshock"

Here are two command lines that you can copy paste into a bash command line to test.


Linux Mint 17 test result before fix
mint17 ~ # env x='() { :;}; echo vulnerable' bash -c "echo this is a test of Shellshock"
vulnerable

this is a test of Shellshock

mint17 ~ # bash --version | grep "bash" | cut -f 4 -d " " | cut -d "-" -f 1  | cut -d "(" -f 1
4.3.8


Linux Centos 7 Test before fix
env x='() { :;}; echo vulnerable' bash -c "echo this is a test of Shellshock"
vulnerable

this is a test of Shellshock

bash --version | grep "bash" | cut -f 4 -d " " | cut -d "-" -f 1  | cut -d "(" -f 1
4.2.45

Apple  OSX  10.9.2 Test before fix
env x='() { :;}; echo vulnerable' bash -c "echo this is a test of Shellshock"
vulnerable

this is a test of Shellshock


Fixing the Issue with Centos
[root@centos7 ~]# yum update bash
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * Webmin: webmin.mirror.somersettechsolutions.co.uk
 * base: mirror.switch.ch
 * epel: mirror.switch.ch
 * extras: mirror.switch.ch
 * updates: mirror.switch.ch
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.2.45-5.el7_0.2 will be updated
---> Package bash.x86_64 0:4.2.45-5.el7_0.4 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================
 Package                               Arch                                    Version                                           Repository                                Size
=================================================================================
Updating:
 bash                                  x86_64                                  4.2.45-5.el7_0.4                                  updates                                  1.0 M

Transaction Summary
=================================================================================
Upgrade  1 Package
Total download size: 1.0 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs reduced 1.0 M of updates to 453 k (55% saved)
bash-4.2.45-5.el7_0.2_4.2.45-5.el7_0.4.x86_64.drpm                                                                                                       | 453 kB  00:00:00     
Finishing delta rebuilds of 1 package(s) (1.0 M)
Running transaction checkrpms>                                           100% [===============================================================]  0.0 B/s | 1.0 MB  --:--:-- ETA 
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : bash-4.2.45-5.el7_0.4.x86_64                                                                                                                                 1/2 
  Cleanup    : bash-4.2.45-5.el7_0.2.x86_64                                                                                                                                 2/2 
  Verifying  : bash-4.2.45-5.el7_0.4.x86_64                                                                                                                                 1/2 
  Verifying  : bash-4.2.45-5.el7_0.2.x86_64                                                                                                                                 2/2 

Updated:
  bash.x86_64 0:4.2.45-5.el7_0.4                                                                                                                                                

Complete!


After Fixing
[root@centos7 ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test of Shellshock"
this is a test of Shellshock



Learning Points

Sometimes we find that UNIX based or like Operating Systems like Apple OSX,  Gnu Linux are vulnerable to attacks.    Remember, in this instance Microsoft Windows systems are not affected.

In our example using the Centos, Linux based Operating System,  the yum command can be used to fix the problem online and without reboot within seconds.


Links
CVE-2014-7169 Common Vulnerabilites Exposures
Computerphile Shellshock