I have a project for my grad level OS class, and I have decided to choose the Shellshock vulnerability bugs as my topic. There is a lot of great information out there, but I was curious if it is possible to get the source code of patches that resolved the bugs related to Shellshock. Namely, CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 I was able to find some source code here , but I was wondering if anyone could point me to a comprehensive list of patch source. Or, which would be great, if someone could explain how I can access the patch source on my machine (since I have upgraded my machine and am no longer vulnerable).

I've been reading up about the remote bash exploit and was wondering how severe it is and if I should be worried, especially since a new exploit has been found after the patch release. What does this mean for me as someone who uses Debian as my main desktop OS? Is there anything I should be aware of?

**Some context about the bug: [CVE-2014-6271](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271)** > Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition. For example, an environment variable setting of > > VAR=() { ignored; }; /bin/id > > will execute /bin/id when the environment is imported into the bash process. Source: http://seclists.org/oss-sec/2014/q3/650 **When was the bug introduced, and what is the patch that fully fixes it?** (See [CVE-2014-7169](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169)) What are the vulnerable versions beyond noted in the CVE (initially) (3.{0..2} and 4.{0..3})? **Has the buggy source code been reused in other projects?** Additional information is desirable. --- Related: [What does env x='() { :;}; command' bash do and why is it insecure?](https://unix.stackexchange.com/questions/157329/what-does-env-x-command-bash-do-and-why-is-it-insecure)

I.e. can I find a close enough package in the next nearest distro? Or is it complicated, and compiling from source is better? Or can I grab it from debian? (This question is about at least Ubuntu 11.10 and 12.10; I'm betting others are hitting this, so if the advice is different depending on exactly which end-of-lifed Ubuntu, it might help to say how!) P.S. "Upgrade" will not be accepted as an answer ;-) I know that, but sometimes retiring/upgrading/replacing a server takes time, and I'd like to get bash patched first.

Apparently, the shellshock Bash exploit [CVE-2014-6271](http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html) can be exploited over the network via SSH. I can imagine how the exploit would work via Apache/CGI, but I cannot imagine how that would work over SSH? Can somebody please provide an example how SSH would be exploited, and what harm could be done to the system? ### CLARIFICATION AFAIU, only an authenticated user can exploit this vulnerability via SSH. What use is this exploit for somebody, who has legitimate access to the system anyway? I mean, this exploit does not have privilege escalation (he cannot become root), so he can do no more than he could have done after simply logging in legitimately via SSH.

I was reviewing a shellshock attack and didn't understand this piece of code: curl -v http://localhost/cgi-bin/shellshock.cgi -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd " The part that I don't understand is the function of the echo ; in the actually executed command on the remote machine between echoing the Content-Type and /bin/cat on /etc/passwd. What is the function of echo ; here? Thanks.

There is apparently a vulnerability (CVE-2014-6271) in bash: Bash specially crafted environment variables code injection attack I am trying to figure out what is happening, but I'm not entirely sure I understand it. How can the echo be executed as it is in single quotes? $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test --- **EDIT 1**: A patched system looks like this: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test **EDIT 2**: There is a related vulnerability / patch: [CVE-2014-7169](https://access.redhat.com/articles/1200223) which uses a slightly different test: $ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" *unpatched output*: vulnerable bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)' bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable' bash: error importing function definition for `BASH_FUNC_x' test *partially (early version) patched output*: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' bash: error importing function definition for `BASH_FUNC_x()' test *patched output* up to and including CVE-2014-7169: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `BASH_FUNC_x' test **EDIT 3**: story continues with: * [CVE-2014-7186](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186) * [CVE-2014-7187](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187) * [CVE-2014-6277](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277)

As I understand it, generally it is considered safe to let anyone provide information that will be stored in an environmental variable. The shellshock vulnerability is an issue here because it means that code at the end of a function definition inside an environmental variable will be executed when a new instance of bash launches and you obviously don't want anyone to run any code they please on your server. Function definitions themselves are apparently not a security risk though and are allowed because they have to be explicitly called for their code to be executed. My question is why can't a malicious user simply define a function, containing their malicious code as a common command like ls and then hope that the script (or whatever is being run) will use this command at some point? An example of what I have in mind: $ export ls='() { echo "doing bad things..."; }' $ bash -c ls doing bad things...

I am interested in testing for shellshock vulnerable machines that I don't have shell access to on my LAN's and WAN's such as IPMI cards and Internet of Things devices. What is the best way to remotely verify the vulnerability on machines? Does anybody have a simple shell script that can be run? I want to avoid using any websites that do this test as they may actually take advantage of the information gained by running the tests on vulnerable machines.

I am trying to demonstrate the shellshock vulnerability according to the commands posted [here](https://serverfault.com/questions/631257/how-to-test-if-my-server-is-vulnerable-to-the-shellshock-bug) . I have taken two systems under consideration: the first one has a vulnerable bash in $PATH; the other has a patched version of bash in $PATH, and a "supposedly vulnerable" version in /opt/vulnerable, that has been compiled from source. On the **first system**, I am able to successfully exploit the bug: $ bash --version GNU bash, version 4.1.2(1)-release (i386-redhat-linux-gnu) [...] $ cat env x='() { :;}; echo vulnerable' bash -c "echo this is a test" > EOM vulnerable this is a test On the **second system**, as described above, there is a patched bash in $PATH and a recently (as in a few hours ago) compiled from source version of bash in /opt/vulnerable that should be vulnerable: $ bash --version GNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu) [...] $ /opt/vulnerable/bin/bash GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu) [...] I'm passing these commands through the default version to the vulnerable version, and I'm unable to exploit it: $ cat env x='() { :;}; echo vulnerable' bash -c "echo this is a test" > EOM this is a test I've also tried using [this](https://github.com/wreiske/shellshocker/blob/master/shellshock_test.sh) script for testing, but it fails to detect any vulnerability. (The command has been issued from the default, patched shell): $ /opt/vulnerable/bin/bash shellshock_test.sh CVE-2014-6271 (original shellshock): not vulnerable CVE-2014-6277 (segfault): not vulnerable CVE-2014-6278 (Florian's patch): not vulnerable CVE-2014-7169 (taviso bug): not vulnerable CVE-2014-7186 (redir_stack bug): not vulnerable CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/) : not vulnerable Am I doing something wrong here? Or have all bash sources archives on ftp.gnu.org have been patched against this vulnerability?

I was out to patch some squeeze servers for the shellshock bug. A few googles later I found that I could updated my apt sources list . This did however not work for some reason. I tried to search for the package at packages.debian.org without luck. It took me a good while to find this post , which was the solution to my problems. My question is, how can I find these packages directly, without finding a blog post about them? Am I just looking at the wrong place at packages.debian.org? I tried listing all squeeze and squeeze-updates packages, and I only found non-patched bash packages.

Since this bug affects so many platforms, we might learn something from the process by which this vulnerability was found: was it an εὕρηκα (eureka) moment or the result of a security check? Since we know Stéphane found the Shellshock bug, and others may know the process as well, we would be interested in the story of how he came to find the bug.

I am curious to know if the following command could be executed on a system/server with the Shellshock bug: curl -H "User-Agent: () { :; }; sudo /bin/eject" http://example.com/ (This code is an elaborated version of an example here: http://blog.cloudflare.com/inside-shellshock/) From what I understand the bug would allow one to inject code into the system but not necessarily execute code with elevated privileges. If this is not possible is there another way that code could be injected to give a hacker root privileges? No examples necessary, I am simply curious as to the extent of damage this bug could potentially cause. **I have no malicious intent, I ask out of curiosity.

We have over 10000 servers to patch for bash vulnerability (shellshock) bug. Now my question is what is the command to patch this bug ? And how we can check whether the patch has been installed and the bug has been fixed ?

Is it safe to use Linux Mint now, with ShellShock existing? If not, what can I do to use Mint safely?

We are running Debian Etch, Lenny and Squeeze because upgrades have never been done in this shop; we have over 150 systems running various Debian versions. In light of the "shell shock" of this week, I assume I need to upgrade bash. I do not know Debian so I am concerned. Can I merely execute apt-get install bash on all of my Debian systems and get the correct Bash package while my repository is pointed at a Squeeze entry. If not, what other course of action do I have?

SERVER:/home/user # rpm -Uvh --test readline-5.1-24.4.7406.0.PTF.898762.i586.rpm warning: readline-5.1-24.4.7406.0.PTF.898762.i586.rpm: V3 DSA signature: NOKEY, key ID b37b98a9 error: Failed dependencies: readline = 5.0-9 is needed by (installed) readline-devel-5.0-9 SERVER:/home/user # rpm -qa | grep -i readl* readline-5.0-9 perl-TermReadKey-2.30-2 readline-devel-5.0-9 SERVER:/home/user # tar -xvf ssbash10GA-i386.tar bash-3.1-24.4.7406.0.PTF.898762.i586.rpm readline-5.1-24.4.7406.0.PTF.898762.i586.rpm SERVER:/home/user # It looks like the readline-devel is missing from ssbash10GA-i386.tar from: https://download.suse.com/Download?buildid=nNXClbWqawg~ **Question:** am I understanding this correctly?

I've got a server for personal use running FreeBSD 10, and it doesn't have Bash installed and never did. However, it comes with the its own POSIX-compliant shell "sh". Do I have to worry about the Shellshock bug on my server? I tried running this infamous shell script and **didn't** get the "vulnerable" echo, but I don't know if that ensures that I am safe: env x='() { :;}; echo vulnerable' sh -c 'echo hello'

How can I update BASH? I noticed that there are version 4.2.45 env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test cat /etc/redhat-release CentOS release 5.11 (Final) rpm -q bash bash-3.2-33.el5_11.4 yum update bash Setting up Update Process No Packages marked for Update

We have several Amazon servers. It has bash version 4.1.2. Kaspersky claims that all bash versions up to 4.3 are unsafe. When I do this test... env x='() { :;}; echo vulnerable' bash -c 'echo hello' ... it returns: hello, and even though Lifehacker says that I should get an error back: bash: warning: x: ignoring function definition attempt bash....., I guess the simple "hello" is good enough. Still I'm in doubt. Can you explain what info I can trust?