BASH exploit - Shellshock

root@Louloute:~# apt-get install bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  bash-doc
Recommended packages:
  bash-completion
The following packages will be upgraded:
  bash
1 upgraded, 0 newly installed, 0 to remove and 54 not upgraded.
Need to get 1,439 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://security.debian.org/ wheezy/updates/main bash armel 4.2+dfsg-0.1+deb7u1 [1,439 kB]
Fetched 1,439 kB in 2s (719 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 28822 files and directories currently installed.)
Preparing to replace bash 4.2+dfsg-0.1 (using .../bash_4.2+dfsg-0.1+deb7u1_armel.deb) ...
update-alternatives: warning: alternative /usr/share/man/man7/bash-builtins.7.gz (part of link group builtins.7.gz) doesn't exist; removing from list of alternatives
Unpacking replacement bash ...
Setting up bash (4.2+dfsg-0.1+deb7u1) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode

the patched version is installed :) http://security.debian.org/ wheezy/updates/main bash armel 4.2+dfsg-0.1+deb7u1

On my non-patched system I have 4.2+dfsg-0.1, so this confirms changes were made.

Skywarp wrote:
I've had a look myself, and can confirm the vulnerable bash version, however, I haven't found a way to remotely trigger this. I.e. you need to have SSH access to the box as far as I can see for now. I'll await the answer from the devs, to see if they have any more information on this. If you want to be extra safe/paranoid, indeed disable port forwards to your ReadyNAS.

http://www.troyhunt.com/2014/09/everyth ... about.html

Remote code execution is pretty easy in the general case with this bug because web servers are usually running on bash or bash-derived shells and the CGI spec (http://www.ietf.org/rfc/rfc3875) requires certain information to be exported to the environment -- which under Unix variants is most often done with environment variables. So if you've got the web server port-forwarded and accessible from the outside, you're very likely to be vulnerable.

Jack.

When I execute apt-get install bash, I am told that I am using the latest version of Bash - nothing to update. I'm not and I am still vulnerable.
How do I update my repo's and what repo's do I need to add? I'm running an Ultra 2. Any help much appreciated.

Hi have a few RNpro and a couple of NV+ boxes that need urgent updates.
If you are not going to provide a fix for these versions - can you please provide an SDK so we could cross-compile a new bash for the NV+? I can probably deal with the old glibc on the RNpro but the sparc with the old environment on the NV+ makes cross-compiling using buildroot is a PITA (not even sure if it is supported to begin with).

Thanks.

apt-get update will update the repo. I believe the default ones are good. Otherwise you would have to add the current debian repository.

Is there any debian repo that is good for the sparc versions? which one is okay for the pro?
Thanks.

As for the sparc fix:
I actually downloaded the compiler available here:
http://kb.netgear.com/app/answers/detai ... s-compiler

I managed to build a patched bash 4.3, Feel free to contact me if you wish to get the compiled binary.
If you want to build it for yourself:

Make sure to untar the tarball to / and have everything in your path.

# Make sure to have yacc (comes with the bison package) as well as build-essentials, This should work on any deb based machine:
sudo apt-get install bison build-essentials

# get bash 4.3 sourcecode
mkdir bashsrc && cd bashsrc
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
tar xvf bash-4.3.tar.gz
cd bash-4.3

# download and apply all patches, including shellshock patch
for i in {001..025}; do
wget -nv http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-${i}
patch -p0 < bash43-${i}
done

# compile
./configure --host sparc-linux && make

# Strip
sparc-linux-strip bash

Copy the new bash to it's place.

Does anyone have an NV+ or any other sparc based NAS he is will to test bash 3.2 on? I am a bit afraid to check it on the I have here as if for some reason it would break anything and won't boot I am screwed.

New betas have been posted for both 4.1 and 4.2 lines.

Thanks!

I notice that on the 516 (with 6.1.9) the /etc/apt/sources.list contains (amongst other things):

deb http://mirrors.kernel.org/debian wheezy main
deb http://security.debian.org/ wheezy/updates main

But a Pro6 running 4.2.26 has similar lines commented.

#deb http://archive.debian.org/debian etch main

And when I checked security.debian.org they didn't have anything for "etch" there. So, perhaps if we knew the appropriate source to add for 4.2 you could follow the same procedure. Any hints?

Oh, and where the package version on 6.1.9 was 4.2+... the package version on 4.2.26 shows up as

# dpkg -l | grep bash
ii  bash                               3.1dfsg-8                The GNU Bourne Again SHell