"Shellshock" - bash exploit

Today a new exploit has been discovered that affects the BASH shell–the most prevalent shell used in the world–and can result in remote exploitation of servers that can include full takeover. It has been estimated to be more severe in nature and more exploitable than Heartbleed.

Here’s a stackexchange post about Shellshock. You’ll be able to find tons of information regarding this anywhere on the internet.

At any rate, no matter what distribution you are using, you are susceptible to it if BASH is your default shell, which is the case of the vast, vast majority of Linux installs.

In the above link you can see more details, including this vulnerability test suite:

root@mineos:~# curl https://shellshocker.net/shellshock_test.sh | bash
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

On aptitude-based distros, e.g., Debian, Ubuntu, Turnkey, etc., you can update your packages with the following commands:

root@core ~# apt-get update
root@core ~# apt-get upgrade

Depending on your host system, follow the prescribed instructions to update your bash shell. While BSD users are unlikely to be affected by this (Bash is not installed by default), in all cases it is worth testing your system for this vulnerability.

According to additional sources, there is still some uncertainty about the comprehensiveness of this fix: it is safe and advisable to upgrade bash immediately, but the question still stands on whether there are other means of exploiting this parsing design-flaw, so there may be continued updates coming soon over the next few days, too.

http://shellshock.brandonpotter.com/

http://www.shellshocktest.com/

These are two reputable websites to test your server against shellshock in two separate ways.

This is interesting, thanks for sharing it.

In testing my previously updated MineOS Turnkey deployment I’ve found that I don’t seem to be vulnerable at this time or at least via this testing mechanism.

Do you have an official document you’d like to point MineOS Turnkey users to for updating their OS?

I realize MineOS update scripts are separate from the OS and only update the Web GUI + probably/occasionally some MineOS backend bits.

The Database and other applications are separate yet though probably updated via the OS update method.

I also note that to update is generally a term used when patching or changing a current revision level of some given software.

Upgrade, generally used to describe the method used to advance software applications or OS to a new functional level. So any references to Upgrades is a wholly separate question from what I am looking to reffernce.

William…

I feel it’s important to emphasize this is a bash-related exploit and thus this problem is pertinent to almost all Linux deployments, Turnkey or not. I’d prefer MineOS Turnkey users not relying on any MineOS document to address this: the answer to shellshock is simply updating your bash binaries.

As shown in my original post, Debian-based distros (e.g., Turnkey, Debian, and Ubuntu) can use apt-get to update their affected binary. It is apt-get that chose the designations update and upgrade. apt-get should already be part of an admin’s toolkit (meaning, they should know to use it regularly, exploits discovered or not).

That said, here is an explanation of the commands you’d use to update/upgrade bash–which includes many other packages in your system:

apt-get update – This downloads packages lists from your repositories (official and unofficial). No packages or binaries are changed on your system.

apt-get upgrade – actually downloads, installs, and configures packages needing updating. “Need” as determined by the Debian repo managers, who carefully calculate which versions inter-operate best and provide the most stable and secure experience.

If you haven’t already, be sure that you have updated your bash again, taking into account new rounds of updates to address new attack vectors on bash.

In other words, even if you updated your bash on zeroday, make sure to give update/upgrade another shot, to be sure that your bash is not one of the vulnerable versions.

Remember, your server does not need to be popular to be a target: bots don’t know the difference.