- In:
- Posted By: abrahamdsl
- Comments: 0
Good Lord! Blimey! The Shellshock/"Bash shell" bug seems to be more worrisome than the Heartbleed affair.
Therefore, time to patch up our systems (including this site!)
Wait, check first if your system is affected ( 99% sure I guess ). Tested on GNU bash, version 4.2.25(1)-release-(x86_64-pc-linux-gnu) .
root@c4rgi-c4chpc:~#env x='() { :;}; echo vulnerable' bash -c 'echo hello'<br>vulnerable<br>hello<br>root@c4rgi-c4chpc:~#
If it does display the above, yes, you are affected by the bug!
A reliable script for doing the patching is the following, as sourced from http://superuser.com/questions/816787/how-do-i-patch-the-shellshock-vulnerability-on-an-obsolete-ubuntu-system-that-i , answer by: unkilbeeg
You might want to save that to a script and run that script.
mkdir src<br>cd src<br>wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz<br>#download all patches<br>for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done<br>tar zxvf bash-4.3.tar.gz<br>cd bash-4.3<br>#apply all patches<br>for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done<br>#build and install<br>./configure --prefix=/ && make && make install<br>cd ..<br>cd ..
One twist in my experience though: on the first attempt, it did not finish. I was asked by a prompt, on which file should the patch be applied. Earlier on, I ran it on another Ubuntu 12.04 system and did not receive such a prompt. Scrolling up the terminal, it seemed to me that there was some error in downloading files needed for the patching. I re-ran the script again ( these lines of code were in a randomly-named file meow.sh ) but I only got Segmentation Fault. I tried logging in to the server via another instance of ssh (Putty) but the Putty window closes after I successfully authenticated.
Good thing I remembered, there's sh! So, if the patch does not complete successfully at your (first) try, DO NOT CLOSE THE TERMINAL UNTIL YOU ARE SUCCESSFUL.
Okay, still in the terminal, you should execute sh. ( As in type "sh" without the quotes and press ENTER ).
root@c4rgi-c4chpc:~# ./meow.sh<br>Segmentation Fault<br>root@c4rgi-c4chpc:~# sh<br># _
You are now running within sh if you now only see the hash sign instead of the former <username>@<computername>:~#
prompt.
Then re-run the script/commands again as you have done earlier. Try and try until you die successful.
AFTER UPDATE/PATCH
root@c4rgi-c4chpc:~#env x='() { :;}; echo vulnerable' bash -c 'echo hello'<br>bash: warning: x: ignoring function definition attempt<br>bash: error importing function definition for `x'<br>hello<br>root@c4rgi-c4chpc:~#
Running again the diagnostic command shall give you a similar otuput as above if you are not anymore vulnerable to that bug. At that point, your bash should be version 4.3.25(1)-release-(x86_64-unknown-linux-gnu).
- Log in to post comments