Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 November 2024, 02:03:47 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Patch for bash ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169) - when?
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: 1 2 [3] Go Down Print
Author Topic: Patch for bash ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169) - when?  (Read 175120 times)
deni1738
Jr. Member
*
Offline Offline

Posts: 6


« Reply #30 on: Tuesday 30 September 2014, 05:20:05 pm »

Great Dean , thanks   installed and tested on  2.52 .
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #31 on: Tuesday 30 September 2014, 06:24:41 pm »

me too, thanks
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #32 on: Wednesday 01 October 2014, 12:57:32 am »

Okay this sort of works:
=================

What are we running?:
-----------------------------
# bash --version
GNU bash, version 3.00.14(1)-release (i686-redhat-linux-gnu)

Funky install
----------------
# smart install http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.2.el4.i386.rpm
# rpm -Uhv bash-3.0-27.0.2.el4.i386.rpm

Did we upgrade it? (Yes)
-------------------------------
# bash --version
GNU bash, version 3.00.15(1)-release (i686-redhat-linux-gnu)

Does it pass the test? (Yes. It's fixed)
------------------------------------------------
#env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

Notes:
--------
1. The "smart install" fails because there is no DSA key stored in EFW for the Oracle repository ...but it fetched the RPM

2. The "rpm -U" cannot fetch the file from Oracle (you get an "import read failed(-1).")

3. "rpm -U" will however install from the local copy retrieved from the "smart install"

4. bash 3.0 aligns with RedHat Version 4. (3.2 is RH5, 4.1 is RH6, 4.2 is RH7)
   https://access.redhat.com/articles/1200223
   ...but that RH4 is no longer supported by RH so that's why we have to get it from Oracle.

5. The downloaded bash is for "Red Hat Enterprise Linux 4" (EL4) but it should be the same for all RH4 variants (??).

6. Review the source at https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm

7. This was tested on 2.2.rc3 only - your experience may vary

...so I volunteered...now you can bitch at me...someone please check my work before it corrupts all of your EFWen.

I saw that Oracle patch, but I don't like to add rpm's from vanilla redhat. To fetch things you can also use curl -O <URL>
The thing is sometimes endian uses strange paths for many files, they tweaked many rpm sources to point to different paths.
But if you don't see anything wrong it's ok. Good work finding it, now we have bash-3.0-deanstyles version.

Just an added thing. Shellshock bug it's more than this line, there are at least 4 tests you must pass (see http://en.wikipedia.org/wiki/Shellshock_(software_bug) ):
CVE-2014-6271 Test 1:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Expected result: Do not see vulnerable on screen.
CVE-2014-7169 Test 2:
Code:
env X='() { (a)=>\' sh -c "echo date"; cat echo
Expected result: Do not see the current date on screen. No such file or directory.
CVE-2014-7186 Test 3:
Code:
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||echo "CVE-2014-7186 vulnerable, redir_stack"
Expected result: empty output.
CVE-2014-7187 Test 4:
Code:
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
Expected result:
If bash fails on one of them, you are still vulnerable to Shellshock

There is also an script around there to bashcheck:
https://github.com/hannob/bashcheck/blob/master/bashcheck

I'm rebuilding the RPM's for bash, using the original Endian bash package, just adding the patches.
I'm on Endian 2.4.0, and it succesfully passed the 4 tests. Once I finished packaging and reviewing, I'll rebuild it on 2.5.2 and 3.0.0, probably is the very same package on all 3.
I attached a screen of the actual result on my compiled bash:
http://imgur.com/S9xp2OH

Now that I saw your Oracle SRC package, I'll try to add another patches that I saw on your package but I didn't see on endian's bash. Maybe they are other patches not related to Shellshock but useful.

Regards.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #33 on: Wednesday 01 October 2014, 03:08:52 am »

I can confirm too that Oracle bash update 27.0.3 fixes the 4 bugs.

Steps to install Oracle bash:
Code:
curl -O http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.3.el4.i386.rpm
rpm -Uvh bash-3.0-27.0.3.el4.i386.rpm
To all, please note that if you install Oracle bash, there is a new update (27.0.3), deanstyles pointed out the prior version (.2).
It's dated 26-Sep-2014 15:42


Test results:
Code:
root@efw-1412010858:~ # bash --version
GNU bash, version 3.00.15(1)-release (i686-redhat-linux-gnu)
Copyright (C) 2004 Free Software Foundation, Inc.
root@efw-1412010858:~ # rpm -qa | grep bash
bash-3.0-27.0.3.el4
root@efw-1412010858:~ # ./bashcheck.sh
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs
Tested en Endian 2.4.0 and Endian 2.5.1

I reviewed Oracle bash sources versus Endian bash sources, and the only noticeable change between their SPEC files are those symlinks files:
ln -sf bash ./bin/csh
ln -sf bash ./bin/tcsh
The good news is that they are already created on Endian, so there is no problem of missing files.

Anyways I'll be rebuilding the endian's bash package, just in case. I know everybody trusts Oracle more than a single person.
Logged
deanstyles
Full Member
***
Offline Offline

Posts: 12


« Reply #34 on: Wednesday 01 October 2014, 11:58:13 pm »

Sorry folks the white hatters are finding more problems with bash:
https://shellshocker.net/

From what I can tell the new problems are harder to exploit and not as valuable to the "for profit" black hats.

The economics may keep us safe but there will be one last patch (in weeks?) when the dust clears. At that time I'll post a "how-to". If anything really nasty appears I'll post immediately.

Watch for the signs,
    Dean Styles, CISSP
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #35 on: Thursday 02 October 2014, 10:22:17 am »

Sorry folks the white hatters are finding more problems with bash:
https://shellshocker.net/

From what I can tell the new problems are harder to exploit and not as valuable to the "for profit" black hats.

The economics may keep us safe but there will be one last patch (in weeks?) when the dust clears. At that time I'll post a "how-to". If anything really nasty appears I'll post immediately.

Watch for the signs,
    Dean Styles, CISSP
But actual patch passes all these tests, so there aren't more public vulnerabilities for now:

root@Firewall:~ # ./shellshock_test.sh
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
Logged
noita
Jr. Member
*
Offline Offline

Posts: 2


« Reply #36 on: Monday 06 October 2014, 07:39:04 am »

Seems like they've upgraded the tester, now it looks like:

root@Firewall:~ # ./shellshock_test.sh
CVE-2014-6271 (original shellshock): not vulnerable
bash: line 16: 30605 Segmentation fault      bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on htp://shellshocker.net/): not vulnerable
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #37 on: Monday 06 October 2014, 07:29:31 pm »

I tried:

Code:
root@FIREWALL:~ # ./bashcheck
Testing /bin/bash ...
GNU bash, version 3.00.15(1)-release (i686-redhat-linux-gnu)

Variable function parser pre/suffixed [(), redhat], bugs not
exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
./bashcheck: line 69: done;: command not found
./bashcheck: line 69: done;: command not found
./bashcheck: line 69: done;: command not found
[....]
./bashcheck: line 69: done;: command not found
./bashcheck: line 69: done;: command not found
./bashcheck: line 69: done;: command not found
Found non-exploitable CVE-2014-7187 (nested loops off by one)
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)

why "command not found" ?
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #38 on: Monday 06 October 2014, 07:36:05 pm »

another error:

Code:
Oct  6 08:21:50 FIREWALL kernel: [ 1393.513457] bash[6362]: segfault at 1010101 ip 0807240e sp bf8bc360 error 4 in bash[8048000+90000]
Oct  6 08:22:25 FIREWALL kernel: [ 1427.649048] bash[6600]: segfault at 1010101 ip 0807240e sp bf8b2240 error 4 in bash[8048000+90000]
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
juddyjacob
Full Member
***
Offline Offline

Posts: 64


« Reply #39 on: Saturday 11 October 2014, 10:42:30 am »

Anyway to uninstall this patch? Ever since i installed it I can not create any new GW2GW OpenVPN connections.
Logged
juddyjacob
Full Member
***
Offline Offline

Posts: 64


« Reply #40 on: Saturday 11 October 2014, 04:48:02 pm »

TAP interfaces got mixed up somehow, had to delete all the tunnels and re-create them. Thanks JohnBoy!
Logged
Pages: 1 2 [3] Go Up Print 
« previous next »
Jump to:  

Page created in 0.156 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com