Learn it fast with expert-taught software and skills training at lynda.com. Start your free trial

By Scott Simpson |

Protect Your System from the Shellshock Bash Exploit

sad_it_girl

On Wednesday, the world learned about a bug in the popular Unix, Linux, and Mac OS X command line interpreter Bash.

Discovered by engineers at Red Hat, this bug is known as Shellshock, and allows an attacker to run commands in the Bash shell. Since the bug was announced, Bash has been updated for the major platforms it affects—so it’s pretty easy to update and protect systems.

But there’s a problem: Bash is so widespread, and installed on so many devices—such as cable modems, routers, and other devices with embedded Linux operating systems—that it will be difficult, if not impossible, to fully patch everything that’s affected. (Windows users are generally unaffected by Shellshock, unless they’ve specifically installed Bash along with Cygwin, Git Bash, or other third-party packages.)

And that’s what makes it so important to update and protect what you’re able to fix.

A quick bit of test code has been making the rounds on the Internet, which lets you know whether the version of Bash you have installed is vulnerable to Shellshock. In particular, it contains a malformed environment function, in this case x:

env x='() { :;}; echo vulnerable' bash -c "echo done running"

Paste that into the command line on your system, being sure to get the quotes right: single quotes after “x=”, and also after “vulnerable”, and double quotes around “echo done running”. Make sure that your system hasn’t converted them to smart quotes.

If your version of Bash is vulnerable, the shell will incorrectly interpret this environment function, and will execute the command after it—in this case, a very innocent ‘echo’ command that prints the word ‘vulnerable’.

Shellshock_movie_or_article_-_Google_Docs

And you can see that’s exactly what happened. An attacker could use similar code, but with a more malicious command or set of commands. This code could be delivered in various ways, such as through a CGI script on a web server.

Now let’s take a look at how to fix it.

Updating Bash on Ubuntu / Debian

On Ubuntu, you’ll want to make sure to get the latest information from the update repositories:

sudo apt-get update

And then you’ll want to get the latest version of bash:

sudo apt-get install bash

Next restart the system.

You’ll then run the test code from earlier. Here I’ll do the same:

Shellshock_movie_or_article_-_Google_Docs

In my example, you can see instead of ‘vulnerable’, I get some errors, where the updated version of Bash caught the error, and reacted correctly.

Updating Bash on CentOS / Red Hat

On CentOS, you’ll need to install the latest version of Bash:

sudo yum update bash

Then restart the system.

After that, run the test code. It’s catching the problem now, instead of executing the code it shouldn’t be running:

shellshock-3

Updating Bash on Mac OS X

On Mac OS X, the operation gets a little bit more complicated. The Mac platform doesn’t have a package manager like apt or yum provided by Apple, so we’ll need to either build an updated version of Bash from source, or use one of the third-party package managers that are available. If you’re running Mac OS X Yosemite, the upcoming release of OS X, Apple’s just released a Bash update that takes care of this automatically, as well.

Heads up: although I’ll step through how to update Bash using the command line below, I strongly recommend that you use any official software update that Apple provides, when it becomes available. If you’re not a developer, or are unfamiliar with command line workflows, it’s probably in your best interest to use Apple’s official patch.

Using the Homebrew Package Manager

First let’s take a look at updating Bash with the Homebrew package manager.

Homebrew is a package manager, similar to apt or yum, which allows Mac users to install open-source packages from the command line. To install it, paste this line into your Terminal. Further information about HomeBrew is available on their website, at brew.sh.

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then, run:

brew doctor
brew update

And type:

brew upgrade bash

This will download and build the current version of Bash, and put it into a private folder: /usr/local/Cellar/bash/4.3.25/bin.

You’ll need to replace your system’s copy of Bash with this version. First make a backup copy of the existing version:

sudo cp /bin/bash /bin/bash.previous

And make sure a clever attacker can’t easily run your backup copy:

sudo chmod a-x /bin/bash.previous

Then copy Brew’s version to your /bin folder:

sudo cp /usr/local/Cellar/bash/4.3.25/bin/bash /bin

And restart your system.

Running the test code, I can see that this version of Bash is patched.

shellshock_4

Building from source

Next let’s take a look at building Bash from source. To do this, you’ll need the Xcode developer tools, available from Apple. I’ll download the source code for Bash from Apple:

curl -O https://opensource.apple.com/tarballs/bash/bash-92.tar.gz

Then unpack it:

tar zxf bash-92.tar.gz

Go into the source code folder:

cd bash-92
cd bash-3.2

After that, I’ll download the patched code from the GNU Foundation:

curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0

and I’ll pipe it to the patch command to apply the changes.

I’ll move up a directory:

cd ..

Then I’ll use xcodebuild to build the source code:

sudo xcodebuild

This leaves me with two executable files in the Release build folder: bash and sh:

cd build/Release
ls -lah

Now I’ll make backup copies of my existing versions of these, just in case:

sudo cp /bin/bash /bin/bash.previous
sudo cp /bin/sh /bin/sh.previous

And I’ll make them not executable:

sudo chmod a-x /bin/sh.previous /bin/bash.previous

Then replace the old versions with the patched versions:

sudo cp bash /bin
sudo cp sh /bin

I’ll restart the system.

Now, when I run the test code, I can see that my version of Bash has been patched.

shellshock-5

Of course, you should also keep an eye out for, and install, any relevant firmware updates released by device vendors. Stay safe out there!

For more tips on keeping your system secure, watch IT Security Fundamentals on lynda.com.

UPDATE 5/26/2014

On September 26th, a second vulnerability in Bash was patched. This patch has been added to the RedHat and Ubuntu repositories, so if you patched your system before the 26th, you’ll need to do it again to get the patch for the second vulnerability. If you haven’t, just follow the steps for your Linux distribution listed below.

The patch has not yet become available for Mac OS X, but Apple reports that they are working on a fix. Mac users, keep an eye out for a Security Update from Apple.

You can test for this vulnerability by pasting this command into your terminal:

env X='() { (a)=>\' sh -c "echo date"; cat echo

If you see the current date and time, your system is vulnerable — the shell is interpreting the ‘echo date’ command incorrectly (it should return ‘date’) but instead it’s running date as a command. It’s innocent in this example, but could be replaced with a malicious command by a less-than-ethical attacker:

shellshock_update_1

If you don’t see the current date and time, your system has a patched version of the shell:

shellshock_update_2

 

Tags: , , , , ,


Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.