shellshock-exploit-and-fix-cve-2014-6271-cve-2014-7169

on September 26 | in Security | by Noman | with No Comments

What is CVE-2014-7169?

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

What is CVE-2014-6271?

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

source

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

How to fix Shellshock bash exploit.

1. First run below command to check your server is vulnerable or not.

[root1@server80 ~]$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test

2. yum update bash

3. After updating bash, again run the command, you will get output like, it means your vulnerability is fixed.

[root1@server80 ~]$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X’
this is a test

Thanks so much for RedHat for providing Errata/Fixes.

For More information, Please read below RedHat blog and fixes.

Red Hat is aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.

Update 2014-09-26 02:20UTC

Red Hat has released patched versions of Bash that fix CVE-2014-7169. Information regarding these updates can be found in the errata. All customers are strongly encouraged to apply the update as this flaw is being actively attacked in the wild.

Fedora has also released a patched version of Bash that fixes CVE-2014-7169. Additional information can be found on Fedora Magazine.

Source:-https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

https://access.redhat.com/articles/1200223

Fedora 19/20 Additional steps required to fix.

First Check your server is infected or not, if below command show date it means your server is still infected.

[root@fedora20-10 ~]# cd /tmp; rm -f /tmp/echo; env ‘x=() { (a)=>\’ bash -c “echo date”; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `=’
bash: x: line 1: `’
bash: error importing function definition for `x’
Fri Sep 26 11:11:45 UTC 2014

[root@fedora20-10 ~]# yum -y install koji

[root@fedora20-10 ~]# koji download-build –arch=$(uname -m) bash-4.2.48-2.fc20

[root@fedora20-10 ~]# yum localinstall bash-4.2.48-2.fc20.$(uname -m).rpm

Now it is confirm your server is not vulnerable to CVE-2014-6271 and CVE-2014-7169

[root@fedora20-10 ~]# cd /tmp; rm -f /tmp/echo; env ‘x=() { (a)=>\’ bash -c “echo date”; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

2372 Total Views 1 Views Today

Pin It

Senior Linux Administrator | Penetration Tester | Automation Expert | Monitoring Expert

» Security » shellshock-exploit-and-fix-cve-2014-6271-cve-2014-7169

Comments are closed.

« Disable 169.254.0.0 nozeroconf in Linux imjournal messages lost due to rate-limiting »