Pretty major Linux exploit with Bash

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
http://seclists.org/oss-sec/2014/q3/649

Patch up ASAP.

This is probably worse than Heartbleed.

Basically remote code can be executed via various services such as apache due to a bash exploit.

Embargo period was today so this info is fresh and there may be more info that comes out to public. Best to patch before that point.
 

smakme7757

Golden Member
Nov 20, 2010
1,487
1
81
Reading various comments on various news sites its funny how people are saying "i thought open source didn't have these problems"

The general public seem to forget that the point of more eyes on the code is to actually find these problems :).
 

lxskllr

No Lifer
Nov 30, 2004
59,427
9,948
126
Got the patch in Debian testing today. If you want to see if you're patched or not, paste this in your shell...

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
Nice! Was wondering what was a good way to do within the OS. My public facing server is not vulnerable, my home ones are, but not that concerned at this point as they're not public facing. I'll still be doing updates though.
 

Nithin

Senior member
Dec 31, 2002
961
0
76
Any information about android? Can't seem to find anything conclusive. Does it ship with bash?
 

IGemini

Platinum Member
Nov 5, 2010
2,472
2
81
Stock android uses a different shell. Unless you're rooted and have bash explicitly installed, you most likely don't have it but it depends on the developer. I think Cyanogenmod makes use of bash.
 

Nithin

Senior member
Dec 31, 2002
961
0
76
Stock android uses a different shell. Unless you're rooted and have bash explicitly installed, you most likely don't have it but it depends on the developer. I think Cyanogenmod makes use of bash.

Thanks, good to know. It's moto G and nexus 7 so should be stock android.
 

jhu

Lifer
Oct 10, 1999
11,918
9
81
Stock android uses a different shell. Unless you're rooted and have bash explicitly installed, you most likely don't have it but it depends on the developer. I think Cyanogenmod makes use of bash.

Cyanogenmod uses ash (within busybox). But it appears bash is present /system/xbin
 

bbhaag

Diamond Member
Jul 2, 2011
7,209
2,687
146
How do I know if I'm patched up properly? I pasted the command that was in the Ars article into the terminal but the output doesn't read the same as the article suggests it should. Do you guys think I'm ok?
Screenshotfrom2014-09-30134732_zpsbc38bde7.png~original
 

Red Squirrel

No Lifer
May 24, 2003
70,167
13,573
126
www.anyf.ca
May want to run another yum/apt update as I noticed there was another patch recently. I think they're looking for more bugs now and it sounds like some of this code is really old and may be buggy.
 

bbhaag

Diamond Member
Jul 2, 2011
7,209
2,687
146
^^^^ according to this link were are patched - http://www.linuxnews.pro/patch-bash-shell-shock-centos-ubuntu/
Synaptic reports version 4.3-7ubuntu1.4
Thanks for the link. Makes me feel a bit better.

Fasinating article. Makes you wonder just how much code is still out there that has its roots in the early days of modern computing. It also makes you contemplate just how secure open source software is.
 

Jodell88

Diamond Member
Jan 29, 2007
8,762
30
91
Fasinating article. Makes you wonder just how much code is still out there that has its roots in the early days of modern computing. It also makes you contemplate just how secure open source software is.
Actually, it goes to show how little support some critical software gets. OpenSSL had three guys working on it and bash has one.
 

MrColin

Platinum Member
May 21, 2003
2,403
3
81
Fasinating article. Makes you wonder just how much code is still out there that has its roots in the early days of modern computing. It also makes you contemplate just how secure open source software is.

It has already been patched in the main linux distros while Apple is taking their sweet time and letting the fanboy PR engine play it down. Arguably, it isn't as significant on OSX as almost nobody has public facing services macs. standing on the shoulders of giants...