Patching the Shellshock/Bash shell bug or vulnerability ( for Ubuntu 12.04 at least ) | Capt. Llave under Los Baños-Makati conditions

September 26 2014

In:
Tags:
Secuirty
Cybersecurity
Shellshock
Bash
Bash shell
hacking
Serious
Posted By: abrahamdsl
Comments: 0

Good Lord! Blimey! The Shellshock/"Bash shell" bug seems to be more worrisome than the Heartbleed affair.
Therefore, time to patch up our systems (including this site!)

Wait, check first if your system is affected ( 99% sure I guess ). Tested on GNU bash, version 4.2.25(1)-release-(x86_64-pc-linux-gnu) .

root@c4rgi-c4chpc:~#env x='() { :;}; echo vulnerable' bash -c 'echo hello'<br>vulnerable<br>hello<br>root@c4rgi-c4chpc:~#

If it does display the above, yes, you are affected by the bug!

A reliable script for doing the patching is the following, as sourced from http://superuser.com/questions/816787/how-do-i-patch-the-shellshock-vulnerability-on-an-obsolete-ubuntu-system-that-i , answer by: unkilbeeg

You might want to save that to a script and run that script.

mkdir src<br>cd src<br>wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz<br>#download all patches<br>for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done<br>tar zxvf bash-4.3.tar.gz<br>cd bash-4.3<br>#apply all patches<br>for i in $(seq -f "%03g" 0 25);do patch -p0 &lt; ../bash43-$i; done<br>#build and install<br>./configure --prefix=/ &amp;&amp; make &amp;&amp; make install<br>cd ..<br>cd ..

One twist in my experience though: on the first attempt, it did not finish. I was asked by a prompt, on which file should the patch be applied. Earlier on, I ran it on another Ubuntu 12.04 system and did not receive such a prompt. Scrolling up the terminal, it seemed to me that there was some error in downloading files needed for the patching. I re-ran the script again ( these lines of code were in a randomly-named file meow.sh ) but I only got Segmentation Fault. I tried logging in to the server via another instance of ssh (Putty) but the Putty window closes after I successfully authenticated.

Good thing I remembered, there's sh! So, if the patch does not complete successfully at your (first) try, DO NOT CLOSE THE TERMINAL UNTIL YOU ARE SUCCESSFUL.

Okay, still in the terminal, you should execute sh. ( As in type "sh" without the quotes and press ENTER ).

root@c4rgi-c4chpc:~# ./meow.sh<br>Segmentation Fault<br>root@c4rgi-c4chpc:~# sh<br># _

You are now running within sh if you now only see the hash sign instead of the former <username>@<computername>:~# prompt.

Then re-run the script/commands again as you have done earlier. Try and try until ~~you die~~ successful.

AFTER UPDATE/PATCH

root@c4rgi-c4chpc:~#env x='() { :;}; echo vulnerable' bash -c 'echo hello'<br>bash: warning: x: ignoring function definition attempt<br>bash: error importing function definition for `x'<br>hello<br>root@c4rgi-c4chpc:~#

Running again the diagnostic command shall give you a similar otuput as above if you are not anymore vulnerable to that bug. At that point, your bash should be version 4.3.25(1)-release-(x86_64-unknown-linux-gnu).