LebGeeks

Prince

Member

Bash Bug

Hello Guys

I was hopping around internet news and found out this

A newly discovered security bug in a widely used piece of Linux software, known as "Bash," could pose a bigger threat to computer users than the "Heartbleed" bug that surfaced in April, cyber experts warned on Wednesday.

Bash is the software used to control the command prompt on many Unix computers. Hackers can exploit a bug in Bash to take complete control of a targeted system, security experts said.

The Department of Homeland Security's United States Computer Emergency Readiness Team, or US-CERT, issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple Inc's Mac OS X.

Anyone knows how can someone control a Linux / Unix as we all know bash is a local script called internally from the server
and the only way to make it run  every 1 minute as the minimum time  using crontab
2nd thing getting on my mind how can you hack using bash if you can't get ssh access with a username / password to a public linux server

3rd on local desktop like Ubuntu  , LinuxMinit , Debain , Fedora , CentOS etc.. you got access to bash using terminal  from a username but we all know that the user has a privilege he can't bypass   to use  a root privilege still he can do some evil things on it but you can easily catch it .

hussam

Member

Re: Bash Bug

It's not a ~privilege escalation issue.
The issue is how environment variables are processed resulting in bash running code you didn't intend it to do.

Hybrid

Member

Re: Bash Bug

According to godaddy, bash is the shell used by their servers. https://pbs.twimg.com/media/ByWUeobCIAARuNU.png

But in reality, you can bomb fork, DDOS, inject code into webservers that run cgi handler and some other cool stuff

rolf

Member

Re: Bash Bug

Not to hijack the conversation, but this is one of these days where I'm happy that I'm running Windows on my server. I was not directly affected by the SSL bug earlier this year either, although a couple of server processes might have been.
There are other nice things about Windows as well.

Hybrid

Member

Re: Bash Bug

Godaddy shared hosts are still vulnerable after so many hours, unless they did some other workaround.

-bash-3.2$ env x='() { :;}; echo vulnerable'  bash -c "echo vun"
vulnerable
vun

Last edited by Hybrid (September 25 2014)

arithma

Member

Re: Bash Bug

Not to hijack the conversation, but this is one of these days where I'm happy that I'm running Windows on my server. I was not directly affected by the SSL bug earlier this year either, although a couple of server processes might have been.
There are other nice things about Windows as well.

Not to beat down on Microsoft or you, but Microsoft does still have its fair share of vulnerabilities, some of them spooky.
http://www.cvedetails.com/vulnerability … osoft.html

Anyway, Microsoft is becoming less of a major target with all the move to Android and Linux Servers...

Last edited by arithma (September 25 2014)

hussam

Member

Re: Bash Bug

It is fixed in bash 4.3.25
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
I just compiled and installed the update on my computer.

Hybrid

Member

Re: Bash Bug

A final patch has been released earlier today. If you patched yesterday, you are required to re-patch today.

Some mirrors are still getting updated though.
More info:
https://rhn.redhat.com/errata/RHSA-2014-1306.html
https://bugs.debian.org/cgi-bin/bugrepo … =762760#56

To test if your server is vulnerable:

CVE-2014-6271 (Yesterday's patch)

env x='() { :;}; echo vulnerable'  bash -c "echo vun"

you're vulnerable if the output is:
vulnerable
vun

CVE-2014-7169

env X='() { (a)=>\' sh -c "echo date"; cat echo

You're vulnerable if a file is created called "echo" containing the current date

hussam

Member

Re: Bash Bug

Can't find a new patch http://ftp.gnu.org/gnu/bash/bash-4.3-patches/

Hybrid

Member

Re: Bash Bug

Can't find a new patch http://ftp.gnu.org/gnu/bash/bash-4.3-patches/

Compiling the last version from the source is not vulnerable as far as I know.

But I meant if you're updating from the repos, you have to re-update because the patch that were released yesterday were incomplete.

samer

Admin

Re: Bash Bug

Thank you for the heads-up Hybrid. The Debian wheezy repos have been updated with the properly patched version.