wreiske / shellshocker Goto Github PK
View Code? Open in Web Editor NEWThe code behind https://shellshocker.net/
The code behind https://shellshocker.net/
Only some of the static public facing content is in this report and not actually the /shock file. So the website is still a "black box".
Without a License it's unclear who can legally use the shellshocker code and how.
CVE-2014-6271 (original shellshock): -e not vulnerable
sh: 61: Syntax error: Missing '))'
env: Ubuntu 14.04 LTE
I tried the command
curl https://shellshocker.net/fixbash | sh
and finished the patch. But using a known test script it still showed CVE-2014-7186 was not fixed yet.
shanfu@shanfu-ubuntu:~/code$ ./shellshock_test.sh
Evaluating /bin/bash...
Running tests...
Tests completed. Determining results...
CVE-2014-6172: not vulnerable
CVE-2014-7169: not vulnerable
CVE-2014-7186: VULNERABLE
CVE-2014-7187: not vulnerable
This shell should be immune to shellshock attack via any other parser bugs
Overall status: VULNERABLE
After running curl https://shellshocker.net/shellshock_test.sh | bash
I can see that I am vulnerable to CVE-2014-6271, CVE-2014-6278 and CVE-2014-7169.
I then used brew to install the latest version of bash and then ran the commands to tell the OS which version of bash to use:
sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'
chsh -s /usr/local/bin/bash
sudo mv /bin/bash /bin/bash-backup
sudo ln -s /usr/local/bin/bash /bin/bash
If I rerun the test I am still vulnerable. Even after a system reboot. Anyone else getting this?
Like the title says.
For your reference:
http://bugs.centos.org/view.php?id=4582
https://bugzilla.redhat.com/show_bug.cgi?id=482826
The latest Shellshocker patch triggers this bug. In short, "/etc/sysconfig/network-scripts/network-functions" does not work under bash 4.x - which is applied as part of the Shellshocker patch. The result is network interfaces come up/start, but fail to apply their gateway information.
Fixes:
1.) Manually define a gateway on a nominated interface via "route add" after restarting the system or restarting network services - example:
service network restart
route add default gw n.n.n.n eth0
2.) Go to line 78 in "/etc/sysconfig/network-scripts/network-functions" and change:
. $CONFIG
to:
. ./$CONFIG
(Note the spaces between the '.')
Note: On Redhat systems, the bug documentation cited above infers this change is required on line 80, not 78.
Debian squeeze-lts here. I'd like to stick to the repository packages when they've patched the vulnerabilities. How can I revert the changes made by shellshocker fix script?
Hello!
This one liner sums it up:
apt-get install make curl gcc patch; curl https://shellshocker.net/shellshock_test.sh | bash || curl https://shellshocker.net/fixbash | sh ; curl https://shellshocker.net/shellshock_test.sh | bash
Outputs, at the end:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 5754 0 --:--:-- --:--:-- --:--:-- 5932
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 2683 Erreur de segmentation bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Even if compilation is successful, sometimes it's on very similar hosts.
Any idea of a workaround/bugfix?
It's written for sh but uses bash/ksh [[ ]] syntax
Just put it into shellcheck.net, it'll do a better job explaining.
L49: for p in ls ../bash43-[0-9][0-9][0-9]
; do patch -p0 < $p; done
Use: for p in ../bash43-[0-9][0-9][0-9]; do patch -p0 < "$p"; done
etc
Would you please remove the suggestion to pipe the output of curl directly into bash? This is a very bad security practice. To prove this, please see my example here:
http://www.brockmann-consult.de/peter2/securitylesson/
It uses a simple RewriteCond and RewriteRule to give you a different script depending on your user agent. Even if your provider doesn't give you access to do this, a simple man-in-the-middle attack or someone that runs the provider can accomplish the same thing. And even if somehow your site was magically immune to this, you should not be encouraging anyone to use this method, but instead to be cautious.
Thanks
A friend of mine suggested apt-get update; apt-get install --only-upgrade bash
instead of upgrade
, because upgrade
upgrades all installed packages, which is not what you really want to do...
I got shellshock_test.sh (from https://shellshocker.net/shellshock_test.sh) and ran it on a CentOS VM and it says everything is OK. However running manually the test command listed for Exploit 7 (CVE-2014-6277) at https://shellshocker.net/#fix I get a 'Segmentation fault'.
Is this version of bash vulnerable?
Please note that the text version of some of the content of the commands is not displayed properly (it seems to "eat" certain characters). See the attached screenshot.
$ bash -c "f() { x() { _;}; x() { _;} <<a; }" bash -c date 2>/dev/null || echo vulnerable
Segmentation fault (core dumped)
vulnerable
$ bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
Segmentation fault (core dumped)
vulnerable
$ bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$ cat /etc/release
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)
cpe:/o:centos:linux:6:GA
$ sudo yum install bash -y
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.