Major Bash Vulnerability Affects Linux, UNIX, Mac OS X

[Reefa]

A critical vulnerability in the Bourne again shell, simply known as Bash and which is present in most Linux and UNIX distributions and Apple’s Mac OS X, has been discovered and administrators are being urged to patch immediately.

The flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is invoked. The flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is invoked.

“It’s super simple and every version of Bash is vulnerable,” said Josh Bressers, manager of Red Hat product security. “It’s extremely serious, but you need very specific conditions in place where a remote user would be able to set that environment variable. Thankfully, it’s not common.”

For context, Bash is present everywhere on Linux and UNIX systems, and this bug will invite comparisons to the Heartbleed OpenSSL vulnerability. The Bash bug was discovered by Stephane Chazelas, a Unix and Linux network and telecom administrator and IT manager at U.K. robotics company SeeByte Ltd.

Patches are starting to roll out from the major Linux distributions, Red Hat included, which acted immediately upon learning of Chazelas’ discovery once it was posted to the OSS security mailing list.

“Lots of stuff calls Bash and I would bet you there are things in most environments that call Bash and you don’t even know they’re doing it,” Red Hat’s Bressers said. “We did a ton of analysis on various things Red Hat ships that we decided were a high risk. It’s one of those situations where there are infinite variants you have to deal with. Heartbleed, for example, was easy to understand and all were affected the same way.”

“No two systems are affected the same way here. Upgrade Bash and don’t mess around,” Bressers said. “Even if you think you’re OK, you’re probably not.”

Bressers said the vulnerability allows an attacker to create environment variables that include malicious code before the system calls the Bash shell.

“These variables can contain code, which gets executed as soon as the shell is invoked,” Bressers wrote in a blogpost. “The name of these crafted variables does not matter, only their contents.”

Some of the more critical instances where the vulnerability may be exposed is on Apache servers for example, using mod_cgi or mod_cgid if either of those scripts is written in Bash. The vulnerability can also be used to bypass ForceCommand in sshd configs, Bressers wrote. ForceCommand is supposed to limit remote code execution, but exploiting this vulnerability sidesteps that protection. Some Git deployments over SSH would be affected here.

Red Hat includes links to a diagnostic step that would allow users to test for vulnerable versions of Bash.

The patch ensures that executable code is not allowed after the end of a bash function,

“It’s one package, and you don’t have restart your system or restart services,” Bressers said of the patch. “Once researchers start looking at this, there’s always the fear they will figure something new out. Hopefully not, otherwise we may have to start over.”

Source

[oliverjia]

oh well. how come this simple buy existed for so long on multiple open source OS is beyond me.

[totoymola]

Ubuntu released a bash update. I'm not sure if it was to patch this vulnerability.

[steven36]

This is the test to see if you are vulnerable:
env x='() {:;}; echo vulnerable' bash -c "echo this is a test"

[totoymola]

This is the test to see if you are vulnerable:

env x='() {:;}; echo vulnerable' bash -c "echo this is a test"

That commands reminds me of the evil forkbomb. :D

WARNING: DO NOT EXECUTE

:(){ :|: & };:

[humble3d]

:blush2:

[smallhagrid]

An opinion from a Linux user & reviewer:

From the description below the video=>

Published on Sep 26, 2014

Nope just sit back, relax and have a beer, then do your system updates

In this video I discuss the over hyped vulnerability named ShellShock, and what you need to do about it as a home Linux user.

Test from:

http://lifehacker.com/how-to-check-if-your-mac-or-linux-machine-is-vulnerable-

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If you're vulnerable you'll get:
vulnerable hello

If you're not vulnerable you'll get:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' hello

[ftechno]

THIS IS A TEST FROM MY MULTIBOOT COMPUTER

UBUNTU 14.04.1 :Vulnerability PATCHED

MAC OS X 10.9.5 : Vulnerability EXIST

Windows 8.1 : out zone

;)

[ande]

https://github.com/mubix/shellshocker-pocs/blob/master/README.md

[smallhagrid]

Showing use of ShellShock exploit to create a Reverse Shell with Netcat, which I then use to launch an attack against Windows systems on the network with an IPV6 Router Advertisement Attack.

Code example: http://quidsup.net/scripts/?p=shellshock