Bash Shellshock Bug Vulnerability Exploit Patch

Summary

Some people are calling the Bash Shellshock Bug the worst thing since the Heartbleed Virus. Others are saying that the vulnerability isn’t as bad as reported since it won’t directly effect most users. The truth is probably somewhere in between. This document offers an introduction into what the Bash exploit is and what you can do about it.

Bash Facts

Here are a few facts about Bash.

• “Bash or the Bourne again shell, is a UNIX-like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, Bash has evolved from a simple terminal based command interpreter to many other fancy uses. In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the Bash shell. It is common for a lot of programs to run Bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)” (source)
• “Bash is present on every Linux distribution, almost every UNIX system, many Android phones, thousands upon thousands of embedded OS versions on hardware devices — and on every version of Mac OS X ever shipped.” (source)
• “This patch doesn’t even BEGIN to solve the underlying shellshock problem. This patch just continues the ‘whack-a-mole’ job of fixing parsing errors that began with the first patch. Bash’s parser is certain have many many many other vulnerabilities; it was never designed to be security-relevant.” (source)

Quick Test for Bash Vulnerability

Using Terminal, you can enter the following commands to test for Bash vulnerability.

• env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If you type that, and only get the message “this is a test” then your system is most likely not vulnerable (other exploits are currently being evaluated, so don’t assume you’re completely protected). However, if you also see the word “vulnerable” generated, then your system is vulnerable.

If you run the above example with the patched version of Bash, you should get an output similar to:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

Ubuntu Users

If you’re a user of the latest version of Ubuntu (14) and have been installing system updates regularly, your computer has likely already been patched.

Resources

Rather than recreating here what has already been posted elsewhere, the following resources have been gathered to provide the information you need and save you from searching the web through thousands of articles.

• Administrator Guidelines and Checklist, (Sans.edu, 29 September 2014)
• “Apple Says Majority Of OS X Users Are Safe From Bash Exploits” (TechCrunch, 27 September 2014)
• “Are Macs vulnerable to the Bash shellshock bug?” (An Apple StackExchange discussion, 25 September 2014)
• Bash Patch Script for Advanced Users – Requires X-Code (GitHub, 25 September 2014)
• “Bash specially-crafted environment variables code injection attack” (RedHat Security Blog, 24 September 2014)
• “How to patch OS X for the bash/Shellshock vulnerability” (Tuaw, 25 September 2014)