Masa's blog

_ CVE-2014-6271: remote code execution through bash

BASH PATCH REPORT bash43-025

Before version up

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

OMG!

Let's do version up to bash-4.3.25 on Slackware.

$ tar xvvf bash-4.3.tar.gz
$ tar xvvf bash-4.3-patches.tar.gz
$ cd bash-4.3
$ cat ../bash-4.3-patches/bash43* | patch -p0
$ ./configure --prefix=/usr --mandir=/usr/man --infodir=/usr/info
$ make

# make install-strip

# cd /usr/bin
# mv bashbug bashbug.REMOVED && chmod -x bashbug.REMOVED
# mv bash /bin/bash.new
# ln -sf /bin/bash .

# cd /bin
# mv bash bash.old
# mv bash.new bash
# mv bash.old bash.old.REMOVED && chmod -x bash.old.REMOVED

After version up

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

But CVE-2014-7169 is not fixed yet :(

_ CVE-2014-7169 is fixed by bash43-026

http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026

Before applying above patch

$ env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
$ ls -al echo
-rw-r--r-- 1 m-ito m-ito 29 Sep 27 10:39 echo
$ cat echo
Sat Sep 27 10:39:30 JST 2014
$

After applying above patch

$ env -i X='() { (a)=>\' bash -c 'echo date'
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
date
$ ls -al echo
ls: echo: No such file or directory
$ bash --version
GNU bash, version 4.3.26(1)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
$

_ new patch for bash-4.3 patchLevel 27

http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027

$ bash --version
GNU bash, version 4.3.27(2)-release (i686-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.