bash 漏洞，据说一行代码可以搞定？

[none_nobody]

　更糟的是，利用Bash漏洞的方法更加简单，只要直接剪切和粘贴一行软件代码，就能取得效果。如此低的门槛可能会吸引来更多的黑客进行攻击，这也是安全专家担心的地方。


问题是这行代码是什么？谁能给一下让我测试？

[Shell Xu]

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

在 2014年9月25日 下午12:11，none_nobody <lyx...@gmail.com>写道：

　更糟的是，利用Bash漏洞的方法更加简单，只要直接剪切和粘贴一行软件代码，就能取得效果。如此低的门槛可能会吸引来更多的黑客进行攻击，这也是安全专家担心的地方。


问题是这行代码是什么？谁能给一下让我测试？

--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+un...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。
要退订此论坛并停止接收此论坛的电子邮件，请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项，请访问https://groups.google.com/d/optout。

--

彼節者有間，而刀刃者無厚；以無厚入有間，恢恢乎其於游刃必有餘地矣。
blog: http://shell909090.org/blog/

twitter: @shell909090
about.me: http://about.me/shell909090

[none_nobody]

There are other services that run on Linux and Unix systems, such as the CUPS printing system, that are similarly dependent on Bash that could be vulnerable.

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
 this is a test

[none_nobody]

ftp.gnu 上下载源代码 bash-4.2 并 patch48， bash-4.3 并 patch25 ,

经测试依然无效。自求多福吧。

[none_nobody]

ubuntu-14.04.1LTS update 有效。

[孑影]

有更新了木
#风起看云涌，叶落品人生#

[孑影]

opensuse

zypper update bash 到 bash-4.2-68.4.1

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

#风起看云涌，叶落品人生#

[孑影]

$ bash --version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable
this is a test

喵，debian 系列的 也有更新了
sudo apt-get upgrade -y

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

#风起看云涌，叶落品人生#

[Shell Xu]

试试这个

env X='() { (a)=>\' sh -c "echo date"; cat echo

您收到此邮件是因为您订阅了 Google 网上论坛的“Shanghai Linux User Group”论坛。
要退订此论坛并停止接收此论坛的电子邮件，请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项，请访问 https://groups.google.com/d/optout。

[Aaron Zhou]

$ bash --version

GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)

Copyright (C) 2007 Free Software Foundation, Inc.

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable

this is a test

Mac用户脸一黑。。喵。。

Thx & Regards

aaron67
http://aaron67.cc

[孑影]

mac 没有人修吗 ？ update 一下吧 不是服务器，也不用怕的
#风起看云涌，叶落品人生#

[Phil Xiaojun Hu]

On Fri, Sep 26, 2014 at 12:38:06AM +0800, 孑影 wrote:
> mac 没有人修吗 ？ update 一下吧 不是服务器，也不用怕的

OS X 这边苹果出系统更新的速度肯定比不上社区啊。homebrew
也没法管理系统的 binary.

不是服务器依然还是有被攻击的可能啊，如果用了什么客户端会
执行 bash 脚本，而且用环境变量传参的话还是会中招啊，假如
连接的服务器上有恶意代码的话。

[PengEdy]

OS X的修复方法：https://ruby-china.org/topics/21720

在 2014年9月26日星期五UTC+8上午12时38分15秒，孑影写道：

>> >>> 要退订此论坛并停止接收此论坛的电子邮件，请发送电子邮件到shlug+unsubscribe@googlegroups.com。

>> >>> 要查看更多选项，请访问https://groups.google.com/d/optout。
>>
>> --
>> -- You received this message because you are subscribed to the Google
>> Groups Shanghai Linux User Group group. To post to this group, send email to
>> sh...@googlegroups.com. To unsubscribe from this group, send email to
>> shlug+un...@googlegroups.com. For more options, visit this group at
>> https://groups.google.com/d/forum/shlug?hl=zh-CN
>> ---
>> 您收到此邮件是因为您订阅了 Google 网上论坛的“Shanghai Linux User Group”论坛。

>> 要退订此论坛并停止接收此论坛的电子邮件，请发送电子邮件到shlug+unsubscribe@googlegroups.com。

>> 要查看更多选项，请访问 https://groups.google.com/d/optout。
>
>
>
>
> --
> 彼節者有間，而刀刃者無厚；以無厚入有間，恢恢乎其於游刃必有餘地矣。
> blog: http://shell909090.org/blog/
> twitter: @shell909090
> about.me: http://about.me/shell909090
>
> --
> -- You received this message because you are subscribed to the Google Groups
> Shanghai Linux User Group group. To post to this group, send email to
> sh...@googlegroups.com. To unsubscribe from this group, send email to
> shlug+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/shlug?hl=zh-CN
> ---
> 您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。

> 要退订此论坛并停止接收此论坛的电子邮件，请发送电子邮件到shlug+unsubscribe@googlegroups.com。

> 要查看更多选项，请访问https://groups.google.com/d/optout。
>
>
> --
> -- You received this message because you are subscribed to the Google Groups
> Shanghai Linux User Group group. To post to this group, send email to
> sh...@googlegroups.com. To unsubscribe from this group, send email to
> shlug+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/shlug?hl=zh-CN
> ---
> 您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。

> 要退订此论坛并停止接收此论坛的电子邮件，请发送电子邮件到shlug+unsubscribe@googlegroups.com。
> 要查看更多选项，请访问https://groups.google.com/d/optout。

[Gmail-Mailbox]

Macports

If you're running bash from MacPorts, the update process below gets you a bash version 4.3.25 which has the fix for the vulnerability. This which is useful if you have changed shells to use mac ports bash to get the version 4 features.

It will not solve the issue of standard OS scripts as the have #!/bin/sh or #!/bin/bash as the first line. (This sort of issue is why macports tries not to use Apple's supplied versions of programs as macports tends to be updated quicker e.g. it has a newer version of bash)

$ sudo port selfupdate
$ sudo port upgrade bash

Note that this still leaves you with a vulnerable system bash; you need to update the MacPorts bash in addition to patching the system bash as described above.

要退订此论坛并停止接收此论坛的电子邮件，请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项，请访问https://groups.google.com/d/optout。

[david pu]

我自己安装的OK的，我的脚本：https://gist.github.com/DavidPu/1338c567cfe7b0f6d18a

> --
> -- You received this message because you are subscribed to the Google Groups
> Shanghai Linux User Group group. To post to this group, send email to
> sh...@googlegroups.com. To unsubscribe from this group, send email to
> shlug+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/shlug?hl=zh-CN
> ---
> 您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。
> 要退订此论坛并停止接收此论坛的电子邮件，请发送电子邮件到shlug+un...@googlegroups.com。
> 要查看更多选项，请访问https://groups.google.com/d/optout。



--

() ASCII Ribbon Campaign
/\ Keep it simple!

[Gmail-Mailbox]

我用的这个方法，也是没有问题的。MAC OSX 10.9.5

System Binaries

OS X 10.9.5 (the latest stable release at the moment) ships with Bash v3.2.51:

$ bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

You can obtain and recompile Bash as follows, providing that you have Xcode installed:

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0    
$ cd ..
$ xcodebuild
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ build/Release/bash --version # GNU bash, version 3.2.52(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.52(1)-release
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

After this, the Bash version should be v3.2.52:

$ bash --version
GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin13)

Copyright (C) 2007 Free Software Foundation, Inc.

For security, and after testing, I recommend that you chmod -x the old versions to ensure they aren't re-used, or move them to a backup site.

$ sudo chmod a-x /bin/bash.old /bin/sh.old

您收到此邮件是因为您订阅了 Google 网上论坛的“Shanghai Linux User Group”论坛。

[liyaoshi]

huang@ubuntu:~/build$ bash --version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)

Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

没事老装机还是有好处的

[david pu]

4.2.25?我这都打到第48个patch了。。

$ bash --version
GNU bash, version 4.2.48(1)-release (x86_64-unknown-linux-gnu)

Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[Chaos Eternal]

我知道openvpn会执行client端脚本，不知道谁做个概念验证？

还是尽早切换到guile-scsh吧

[david pu]

据说还要补，哈哈哈：https://twitter.com/taviso/statuses/514887394294652929
4.2的patch level到50了瞬间

[August]

把默认shell换了吧

[Shell Xu]

我TM忍不了了。。。

[Chaos Eternal]

我觉得这玩意得推倒重写才行。

大伙儿换guile-scsh吧，哈哈哈

[Chaos Eternal]

另外，虽然我是FSF神教的虔诚教徒，
但是我觉得FSF这回的回应实在有点说不过去

诚然，作为自由软件, bash在出现Bug之后可以很快的得到修复，并且所有的责任都由用户自己承担，
但是FSF的声明里面绝口不提Bug什么时候能得到修复，以及如何可以消除影响；
更进一步，一个“无辜”的用户经过七拐八折之后由于他用的某个设备所连接的服务器上运行的一个程序所访问的另一台服务器上的一个dhcp-client脚本中枪，问题是，到底他算不算那个脚本的用户，以及他到底有没有选择是否运行那个脚本的自由，以及，他是否可以选择不运行那个bash?
无辜中枪的他，发誓要把所有的软件都埋在大漩涡的底部，但是他不是使用挖掘机，无奈的他仰天长叹：挖掘机学校到底哪家强！！！

[liyaoshi]

我了个去，这事你居然能拉上蓝翔

看来有救了