About this blog

'Going Spatial' is my personal blog, the views on this site are entirely my own and should in no way be attributed to anyone else or as the opinion of any organisation.

My tweets on GIS, Humanitarian, Tech, Games and Randomness

Friday, 26 September 2014

Shellshock or SHELLSHOCKED!


Oh no, here we go again

Well, there's plenty of fast paced news and updates about the latest vulnerability to assail the internet (and OpenSource / Linux in particular it would seem) - hot on the heels of the 'Heartbleed' bug we now have a new vulnerability dubbed 'Shellshock', additional good articles from The Register and one from TroyHunt all include a lot of decent background material. Mr. Hunt was top of my search list - am sure there are others out there. 

It is a weakness with the well-known 'nix shell called 'Bash' - a shell is one of a number of interpreters that use command line to interact with the system as well as parse scripts and other things. It has been around for ages (I remember using it in university) and is the default shell for Linux and Mac OS X. So it is everywhere and everyone is more or less affected. 

The bug allows the processing of additional shell commands after a function definition - this means that someone can add extra commands to the end of an existing legitimate one, and there's a chance that it will get executed. Basically, a command over-run. 

What is even more scary and from what everyone has been saying: it probably has already been exploited and that the security community has just caught on. Christ, how long? 

Let me check to see if MY pants are down


So. I just carried out a ‘before’ and ‘after’ on one of our Centos boxes:

1.      Fire up a shell (make sure it is Bash)
2.      Enter the follow (no need to SUDO)
   env x=’() { :;}; echo vulnerable’ bash –c “echo this is a test”
3.      If you execute the script and you get: ‘vulnerable, this is a test’ – then patch immediately

4.      If you execute the script and you get: ‘this is a test’ – then the patch worked or you haven’t been vulnerable


So how do I patch for this? 

Quite easy actually. 

Using yum or apt-get will allow you to easily update Bash and fix the vulnerability.

Yum

sudo yum-update

then 

sudo yum update bash

Apt-get

sudo apt-get update

then 

sudo apt-get install --only-upgrade bash

Some screenshots

Of course, a picture is worth a 1000 words:

Let's get started, am I vulnerable? Oh yes I am....(sad face)
Go yum, go!


Now update Bash

Re-run the test and yes, we pass.