Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm on debian: SID atm. And when i try the command:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If your system is compromised you should be able to see "vulnerable" and "this is a test".
However. I can only see the part where it echo's "this is a test".
If the bash shell is patched it should give this error.
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
But it doesn't!
I have updated bash to latest version. Anyone have a clue?
the fixes i tried (.1 and .2 ver of latest bash on CentOS 6final)
both did not behave like this
Code:
The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
The only time I saw that is when I was running on a system where "bash" wasn't really bash, it was a symlink to busybox or sh or something else.
edit: I just installed x.2 of the CentOS bash fix, now I just get "this is a test" on the first one, and
Code:
date
Thu Sep 25 15:22:19 MDT 2014
For the second.
I was under the impression that if you received a date on the second test it was still vulnerable, so is this not yet fixed? I understand the first test fully, but I don't really "get" the second test, so I can't say what the proper behavior should be.
Last edited by suicidaleggroll; 09-26-2014 at 09:59 AM.
CVE-2014-7169, the additional vulnerability has been fixed. You can find the patch here. This is the result of a test exploit I ran on a patched and recompiled version of bash:
Code:
user@host:~$ env X='() { (a)=>\' bash -c "file echo vulnerable; cat file"
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
echo: ERROR: cannot open `echo' (No such file or directory)
vulnerable: ERROR: cannot open `vulnerable' (No such file or directory)
cat: file: No such file or directory
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory
as example, release 15.el6_5.2 for bash 4.1.2 fixes both issues from what i see.
this page http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ doesnt seem to list the files they used on 25Sep2014. i suspect if the build date is not 25Sep2014 or later than you dont have the latest fixed version. i guess you are looking for -026
Last edited by Linux_Kidd; 09-26-2014 at 11:58 AM.
Oops, I just copied and pasted, didn't notice it was running sh instead of bash. Either way, on both my CentOS and Debian systems sh is symlinked to bash, so the result is the same.
For the better test:
Code:
$ env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
echo vuln
cat: echo: No such file or directory
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
