!!!! Bash exploit! Warning! CVE-2014-6271

gihan

@ATHK thank you very much my friend

GreenHostBox

An update for Bash was just released to address CVE-2014-7169 and it is recommended that you update as soon as possible. This resolves the incomplete patch for CVE-2014-6271 (''ShellShock'').

Info Links:

https://rhn.redhat.com/errata/RHSA-2014-1306.html

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762760#56



Ongoing Discussion via WHT:

http://www.webhostingtalk.com/showthread.php?t=1414839

ATHK

Thanks @GreenHostBox, Updated two boxes so far and the command no longer works.

~#> env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory

cassa

@ATHK said:
For anyone unable to click that twitter link the new command is

env X='() { (a)=>\' sh -c "echo date"; cat echo

Outputs some errors, the time and creates a file called "echo" with the date inside.

sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri Sep 26 13:01:33 EST 2014

So is this right, or isn't it:

# env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory
# cat echo
cat: echo: No such file or directory

ATHK

@cassa looks fine to me

Vulnerable bash's return this

sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri Sep 26 13:01:33 EST 2014

sleddog

There's another bash released for Debian/Ubuntu, apt-get update && apt-get upgrade again....

Rami

@cassa Got the same

~# env X='() { (a)=>\' sh -c "echo date"; cat echo

date

cat: echo: No such file or directory

Am I safe now?

Hybrid

@Rami said:
Am I safe now?

yep

geodirk

Does anyone have instructions for how to compile from source? I have an Ubuntu 10.04 system that is still vulnerable and for which there currently are no updates.

Thanks

rds100

There IS an update for ubuntu 10.04. Try updating again? Or maybe try another mirror?

souen

It should be making its rounds to the mirrors, but if you need to apply the update manually, deb available:

https://launchpad.net/ubuntu/lucid/i386/bash/4.1-2ubuntu3.2

https://launchpad.net/ubuntu/lucid/amd64/bash/4.1-2ubuntu3.2

geodirk

rds100 said: There IS an update for ubuntu 10.04. Try updating again? Or maybe try another mirror?

Yep, you are right. I'm updated now.

Saahib

I get this :

 # env X='() { (a)=>\' sh -c "echo date"; cat echo
date
Fri Sep 26 23:35:06 MSD 2014

Am I safe ?

souen

@Saahib: need update, it should show output like in Rami's post above if patched.

ATHK

You can find some instrusctions for compiling for source here - https://shellshocker.net

Also it has a few other goodies.

PremiumN

According to a Google Security Researcher who was able to defeat all of the current patches and make the vulnerability easier to exploit, they are now recommending the following unofficial patch until it is pushed upstream:

http://www.openwall.com/lists/oss-security/2014/09/25/13

Further Information:

http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx

We will continue to update HSL when new patches are released!

natestamm

Just want to mention aptitude update && aptitude upgrade should fix for us who prefer / use as an alternative to apt-get.

virtualizor

@natestamm I guess the patch is still incomplete

BBTN

Are you up-to-date? ->

https://twitter.com/marleng2/status/518069229065875456