CVE-2014-7169 – $shock

Shellshock is the hot news which is shockingly spreading all over the world. To check if you are effected (which has got very high probability) or not just execute ::

env x='() { :;}; echo anything’ bash -c :

and if you get anything echoed it means your bash has got something for you and i.e. vulnerability. Time to update your system with patches. This vulnerability is affecting all versions of the bash package shipped till date, so everyone has to update this patch in order to fix it. Fixed versions for fedora are ::

Fedora 21: bash-4.3.25-2.fc21
Fedora 20: bash-4.2.48-2.fc20
Fedora 19: bash-4.2.48-2.fc19

Ryan Lerch talks about it in his article in fedora magazine in detail. This is interesting to understand how just declaring a single variable can be malicious. In the statement above where we have declared environment varible x, is assigned a value containing function definition. Issue is that when we export this variable, this just does not execute the function defined in variable, but also load and execute the content, we put after the function closure.

Hackers can put anything in place of echo statement. you can extend your experiment by replacing echo statement with reboot like this ::¬† env x='() { :;}; reboot’ bash -c : and you will see your system get rebooted. So you can think of the severity now!

you can actually read the detailed stuff at Red Hat’s information article and make sure to be get the updated version of bash to be safe.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s