Difference between revisions of "Security"

From BubbaWiki
Jump to: navigation, search
(Created page with information concerning the infamous Shellshock bug)
 
(Fixed vulnerability check and added bash output for second bug)
 
Line 12: Line 12:
  
 
A vulnerable system will print
 
A vulnerable system will print
 +
 
<pre>vulnerable
 
<pre>vulnerable
 
this is a test</pre>
 
this is a test</pre>
Line 19: Line 20:
 
While working on the bug, another severe flaw was discovered ([http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 CVE-2014-7169]). Check for this vulnerability with the following line of code:
 
While working on the bug, another severe flaw was discovered ([http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 CVE-2014-7169]). Check for this vulnerability with the following line of code:
  
<pre>env X='() { (a)=>\' sh -c "echo date"; cat echo</pre>
+
<pre>env X='() { (a)=>\' bash -c "echo date"; cat echo</pre>
 +
 
 +
'''CAUTION:''' On a vulnerable system, ''bash'' will report something like
 +
 
 +
<pre>
 +
bash: X: line 1: syntax error near unexpected token `='
 +
bash: X: line 1: `'
 +
bash: error importing function definition for `X'
 +
<current date>
 +
</pre>
 +
 
 +
printing and saving the system date (<tt><current date></tt>) at execution time to a file called <tt>echo</tt>. A fixed system will report
 +
 
 +
<pre>
 +
date
 +
cat: echo: No such file or directory
 +
</pre>
  
'''CAUTION:''' A vulnerable system will print the current date and save it in a file called <tt>echo</tt>.
+
while not creating a file named <tt>echo</tt>.
  
 
== [http://forum.mybubba.org/viewtopic.php?p=26101#p26101 Fix] ==
 
== [http://forum.mybubba.org/viewtopic.php?p=26101#p26101 Fix] ==

Latest revision as of 23:45, 30 September 2014


This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update (2.6.0.2) was released by Excito.

Shellshock

Introduction

Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will print

vulnerable
this is a test

whereas on a patched system the string vulnerable will not be printed.

While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:

env X='() { (a)=>\' bash -c "echo date"; cat echo

CAUTION: On a vulnerable system, bash will report something like

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
<current date>

printing and saving the system date (<current date>) at execution time to a file called echo. A fixed system will report

date
cat: echo: No such file or directory

while not creating a file named echo.

Fix

MouettE compiled the latest bash from source using the Debian squeeze LTS repository.

The complete file list of the build is as follows:

Install the fixed bash version by running the following commands as root user:

wget http://files.la-mouette.net/bubba/bash_4.1-3+deb6u2_armel.deb
dpkg -i bash_4.1-3+deb6u2_armel.deb

The first command downloads the file marked bold from above, while the second installs the downloaded package.