Difference between revisions of "Security"

From BubbaWiki
Jump to navigation Jump to search
(Created page with information concerning the infamous Shellshock bug)
 
(Fixed vulnerability check and added bash output for second bug)
 
Line 12: Line 12:


A vulnerable system will print
A vulnerable system will print
<pre>vulnerable
<pre>vulnerable
this is a test</pre>
this is a test</pre>
Line 19: Line 20:
While working on the bug, another severe flaw was discovered ([http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 CVE-2014-7169]). Check for this vulnerability with the following line of code:
While working on the bug, another severe flaw was discovered ([http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 CVE-2014-7169]). Check for this vulnerability with the following line of code:


<pre>env X='() { (a)=>\' sh -c "echo date"; cat echo</pre>
<pre>env X='() { (a)=>\' bash -c "echo date"; cat echo</pre>
 
'''CAUTION:''' On a vulnerable system, ''bash'' will report something like
 
<pre>
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
<current date>
</pre>
 
printing and saving the system date (<tt><current date></tt>) at execution time to a file called <tt>echo</tt>. A fixed system will report
 
<pre>
date
cat: echo: No such file or directory
</pre>


'''CAUTION:''' A vulnerable system will print the current date and save it in a file called <tt>echo</tt>.
while not creating a file named <tt>echo</tt>.


== [http://forum.mybubba.org/viewtopic.php?p=26101#p26101 Fix] ==
== [http://forum.mybubba.org/viewtopic.php?p=26101#p26101 Fix] ==

Latest revision as of 21:45, 30 September 2014


This site lists steps to secure the B3 against vulnerabilities that were discovered after the last official web update (2.6.0.2) was released by Excito.

Shellshock

Introduction

Shellshock (CVE-2014-6271) is the name of a bash bug recently discovered by Stéphane Chazelas that has been existing since roughly 1992. The following code allows testing for this vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will print

vulnerable
this is a test

whereas on a patched system the string vulnerable will not be printed.

While working on the bug, another severe flaw was discovered (CVE-2014-7169). Check for this vulnerability with the following line of code:

env X='() { (a)=>\' bash -c "echo date"; cat echo

CAUTION: On a vulnerable system, bash will report something like

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
<current date>

printing and saving the system date (<current date>) at execution time to a file called echo. A fixed system will report

date
cat: echo: No such file or directory

while not creating a file named echo.

Fix

MouettE compiled the latest bash from source using the Debian squeeze LTS repository.

The complete file list of the build is as follows:

Install the fixed bash version by running the following commands as root user:

wget http://files.la-mouette.net/bubba/bash_4.1-3+deb6u2_armel.deb
dpkg -i bash_4.1-3+deb6u2_armel.deb

The first command downloads the file marked bold from above, while the second installs the downloaded package.