"Shellshock" bash bug

Robert Heller heller at deepsoft.com
Sat Sep 27 12:39:52 UTC 2014 

At Sat, 27 Sep 2014 08:15:08 -0400 "Ubuntu user technical support,  not for general discussions" <ubuntu-users at lists.ubuntu.com> wrote:

> 
> On Saturday 27 September 2014 02:43:19 Colin Law did opine
> And Gene did reply:
> > On 27 September 2014 01:31, Gene Heskett <gheskett at wdtv.com> wrote:
> > > On Friday 26 September 2014 17:17:06 Colin Law did opine
> > > 
> > > And Gene did reply:
> > >> On 26 September 2014 16:43, Kevin O'Gorman <kogorman at gmail.com> 
> wrote:
> > >> > There has been a code-injection vulnerability in bash for the last
> > >> > 22 years, recently discovered and named "Shellshock".  It's
> > >> > nasty.
> > >> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> > >> 
> > >> I don't fully understand the description.  I have a system that
> > >> cannot be updated that has an ssh port open to the internet, with
> > >> access by keys only.  Is that system vulnerable to attack?
> > >> 
> > >> Colin
> > > 
> > > Top posting, bah! Read the rest of the message below, open a terminal
> > 
> > Who is top posting?  I had read the rest of the post.  My question
> > related to the the quoted section.
> > 
> > >> > Here's a quick one-liner to see if you're vulnerable:
> > >> > $ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
> > >> > vulnerable
> > > 
> > > And enter into the terminal from the keyboard, the above line
> > > starting with "env", to the end at 'test"', duplicating the
> > > quotation marks etc you see above.
> > > 
> > > Then hit enter and you should get the vulnerable return if you are,
> > > or the bash error shown below, ending in the last line 'this is a
> > > test'.  That response says you are not vulnerable.
> > 
> > No, the message tells me that I have a vulnerable version of bash
> > installed, not whether my system is vulnerable to attack as I asked.
> > The point is that with a machine that is only open to the internet via
> > ssh  with access by keys only, is the system vulnerable?  So far that
> > answer seems to be no, provided one's router is not hacked.
> > 
> > Colin
> 
> I have no knowledge of what is in the average router, only what is in mine 
> which has been reflashed to dd-wrt. There is not a full blown bash in 
> that, underneath its Busybox.  Busybox linux doesn't have a byte of code 
> in it that is not used, and that which is used is often stripped of 
> features not needed in a router specialized use, so my assumption, which 
> is exactly that, a SWAG if you want to use the term, is that its enough 
> different that the answer almost certainly has to be no.
> 
> No one has yet reported that their router has been powned that I know of 
> except me.  The first one I ever bought, a Seimans from circuit city about 
> 14 or 15 years ago, was attacked and bricked less than 24 hours after I 
> installed it.  I took it back and brought home a BEFSR41 which worked for 
> many yers and could yet, all I would have to do is move the cables, but my 
> web page would disappear because its NATed port forward capabilities 
> aren't there.  It is not dd-wrt.
> 
> That is not to say that that a router cannot be hacked, but likely not by 
> shellshock style attacks.
> 
> That said, update-manager just popped up, and there is a 3rd bash update 
> in the pipeline.  Do the update now, and reboot.  Only by rebooting can 
> you be assured that every bash instance in your system is using the new 
> one. I am doing it as soon as I've clicked on send.

Rebooting is NOT necessary for the bash update! Already runnins bash instances
are not relevant -- the bug only effects freshly spawned bash shells since the
bug is part of the bash start up. Once bash is running the bug has no effect.
Once /bin/bash has been updated, any future fork()s of /bin/bash will use the
updated (patched) /bin/bash. Of course, if the update updates the kernel or
libc or something like that, a reboot would be required.


> 
> Cheers, Gene Heskett

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

More information about the ubuntu-users mailing list