Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 22 Aug 2019, 09:18
All times are UTC - 4
 Forum index » Off-Topic Area » Security
BASH exposure expressed as bigger than Heartbleed<SOLUTIONS>
Post new topic   Reply to topic View previous topic :: View next topic
Page 6 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8, ..., 11, 12, 13 Next
Author Message
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Sat 27 Sep 2014, 18:30    Post subject:  

Shellshock: All You Need to Know About the Bash Bug Vulnerability | Symantec

https://www.youtube.com/watch?v=ArEOVHQu9nk

Quote:
A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is based around Unix). Known as the “Bash Bug” or “Shellshock,” the GNU Bash Remote Code Execution Vulnerability ( http://www.securityfocus.com/bid/70103 CVE-2014-6271) could allow an attacker to gain control over a targeted computer if exploited successfully.
Back to top
View user's profile Send private message 
anikin

Joined: 10 May 2012
Posts: 1020

PostPosted: Sat 27 Sep 2014, 21:25    Post subject:  

A couple posts back, there's a link to an article in ArsTechnica, the following is a comment from that link.
Quote:
diddum wrote:
One thing that I would really like to know is a list of services I should shut down (like apache2) until this bash madness has been completely fixed.

Is there such a list of possibly affected services ?

Thanks,
a Debian user

If you are using at least Debian squeeze (6.0), you're actually probably in better shape than anyone using Red Hat. Debian links /bin/sh to /bin/dash, so unless a script or executable explicitly calls bash, you're safe.

If you use "ForceCommand" directives in ssh, you can't rely on these if you let your users run bash. (You are effectively letting them get un-restricted shell access instead). But I think you could mitigate this by forcing them to run /bin/sh instead (or let them run mksh it's significantly more user friendly). And if you don't use "ForceCommand" it doesn't matter.

dhclient runs shells scripts in /etc/dchp/dhclient-enter-hooks.d, /etc/dchp/dhclient-enter-hooks.d but unless something insane was done, it will execute them with /bin/sh unless the script explicitly calls bash.

telnet, rsh, also are good things to disable, but you shouldn't have been using them in the first place.

Check if you run any bash scripts out of inetd/xinetd (probably not).

I don't know there might be other stuff. But, on debian, you're actually relatively safe unless somebody didn't something really stupid. The problem is, you can't really be too sure somebody didn't do something really stupid.

Edit:

You should be careful about the login shells for users. If you have some user that really should be a system user with /bin/no-login, or /bin/False as their shell, but some reason needs an actually posix shell as their login shell, set it to /bin/sh, make user it's not /bin/bash
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1746

PostPosted: Sat 27 Sep 2014, 22:06    Post subject:  

Just for anyone who might be confused about the difference between a test that fails and one that succeeds, here are the results I've reproduced from an installation of stemsee's Puppy Precise 5.7.1 using the pet produced by dejan555 to fix bash.
Before, fails:
Code:
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Sat Sep 27 21:55:35 EDT 2014
#

After, succeeds:
Code:
# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
date
cat: /tmp/echo: No such file or directory
#
The syntax error is reported in both cases because that is the way an attacker tricks the parser in bash into parsing code that has been added.
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 830

PostPosted: Sat 27 Sep 2014, 23:22    Post subject:  

Lucid Puppy 525 apparently fixed using this dejan555 pet ... "bash-4.3.26-1-i486-dpup487.pet" [437 KB]
on page ... http://www.murga-linux.com/puppy/viewtopic.php?p=800926#800926
before-after-ShellShock-fix.gif
 Description   before fix "vulnerable" , after fix "error importing function definition for `x' "
 Filesize   8.23 KB
 Viewed   1655 Time(s)

before-after-ShellShock-fix.gif

Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1746

PostPosted: Sun 28 Sep 2014, 08:41    Post subject:  

@Barkin,

I actually prefer the more complicated test used by cimarron. The date function has to be executed to produce that new text, and a file created as a result. With the simple test you used I would worry that a mix-up in quoting gave me a false assurance that a vulnerable system was safe.

Added: I can now report that the fix for Fatdog 700 b1 (bash-4.2-x86_64-3.txz) works there, and that extracting the executable file from the tarball and copying it to /bin also works in Fatdog 630-631. (You need to do this manually because the package format has been changed between the 600 and 700 series.)

Here are James Bond's instructions copied from the 631 topic:

Quote:
1. Get bash-4.2-x86_64-3.txz from 700 repo.
2. mkdir /tmp/xxx
3. cd /tmp/xxx
4. tar -xf /path/to/downloaded/bash-4.2-x86_64-3.txz
5. try to run ./bin/bash --version (version should be 4.2.49)
6. if this is good then cp ./bin/bash /bin
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 830

PostPosted: Sun 28 Sep 2014, 12:02    Post subject:  

prehistoric wrote:
@Barkin,

I actually prefer the more complicated test used by cimarron. The date function has to be executed to produce that new text, and a file created as a result. With the simple test you used I would worry that a mix-up in quoting gave me a false assurance that a vulnerable system was safe.
cimarron test result on puppy 525 after fix.gif
 Description   Puppy 525, kernel 2.6.33.2 , after ShellShock fix from dejan555
 Filesize   8.13 KB
 Viewed   1219 Time(s)

cimarron test result on puppy 525 after fix.gif

Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Sun 28 Sep 2014, 14:51    Post subject: bash_4.2-2ubuntu2.3_i386.deb passed test on Precise 5.7.1  

Hello everyone, firstly thankyou to @cimarron and @Geoffrey for your help, very much appreciated! I thought the least I could do was let everyone know who was concerned or for anyone reading this in the near future that the patch described in the subject of this post seems to have passed the test and the

"no such file or directory"

response was returned in the terminal as opposed to the date etc. so I am very happy with the result. apart from that yes I agree the media can get a bit hyped when it comes to such things, probably because half the idiots have big mouths with very small brains and don't actually understand what is at stake. please see screen shot for noobs sake. Wink
bash up to date.png
 Description   
 Filesize   18.7 KB
 Viewed   1164 Time(s)

bash up to date.png


_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Sun 28 Sep 2014, 15:03    Post subject: You learn something new everyday!  

prehistoric wrote:
@Kester,

You can also save yourself some tricky typing by simply highlighting the test command in your browser, directly from this web page, and then doing a "middle-click" in your console window. This will copy highlighted text without needing a cut-and-paste.


who would have thought??!!! Thank you Prehistoric for suggesting this. Now don't get me wrong I like typing and I'm keyboardcentric so I love hotkeys and keyboard shortcuts etc. but sometimes when executing complicated scripts like the bash up to date test comes one is pressed for time this neat little trick that you have shared with us mere mortal noobs is so appreciated. do you know how long I trawled the internet for this? google was useless! this did not come close in the search! so I thank you again for sharing the knowledge! brilliant! I got the impression from one forum that if you are running a gnome desktop the copy and paste function does not work in the terminal and I tried it many moons ago, it doesn't.
saving time is always appreciated, thanks! Very Happy

_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
michaellowe


Joined: 17 Dec 2011
Posts: 69
Location: The Garden

PostPosted: Sun 28 Sep 2014, 15:08    Post subject: Re: BASH exposure expressed as bigger than Heartbleed.  

Kester wrote:


I have considered removing Puppy Precise 5.7.1 from my dual boot (XP Pro) system by booting up my XP installation disc, opening the 'Repair' option and running 'fixmbr'. I would then return to using live discs for Puppy but perhaps there is no need to take such a drastic step - it's a question of lack of confidence caused by a lack of knowledge on my part. I'm more confident with Windows XP because I know it better but like Puppy very much and decided on dual booting for security reasons when Microsoft support for XP finished - I though I use Puppy for the bulk of my internet activity, so this Bash issue is a little ironic.


@Kester you could simply run as Spot whenever you want to browse the internet and then su privileges are removed making you less vulnerable if you were still worried about web pages being served from insecure webservers.

Please any of you puppy masters feel free to correct me if I am wrong. Wink

_________________
Smash forehead on keyboard to continue.....
well thats at least how some of us deal with ba$h !
Back to top
View user's profile Send private message 
James C


Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Sun 28 Sep 2014, 15:48    Post subject:  

cimarron wrote:
As I posted above, to check if the new (second) fix is working, paste this line into the terminal:
Code:
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo


If your system is vulnerable, the time and date information will be output on the screen (and a file called /tmp/echo will be created):
Code:
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014


If your system is not vulnerable, you will see output similar to:
Code:
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
date
cat: /tmp/echo: No such file or directory




I just updated an old Mepis 11 install...... based on Debian Squeeze. Results>

Code:
james@mepis1:~$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory
Back to top
View user's profile Send private message 
dogle

Joined: 11 Oct 2007
Posts: 398

PostPosted: Sun 28 Sep 2014, 17:06    Post subject:
Subject description: Puppy 4.3.1
 

Application of dejan555's
http://meownplanet.net/dejan/dpup487/pkgs/bash-4.3.26-1-i486-dpup487.pet
to Puppy 4.3.1 produces the desired change in the result of cimarron's test.

Many thanks, folks.
Back to top
View user's profile Send private message 
headfound


Joined: 24 Jun 2006
Posts: 375
Location: England

PostPosted: Sun 28 Sep 2014, 17:23    Post subject:  

dejan555's latest bash fixes the problem in precise 5.6.1
thankyou Smile

_________________
Download a better Computer Smile
Puppy Linux Song
www.letterbyletter.co.uk
Back to top
View user's profile Send private message Visit poster's website 
Geoffrey


Joined: 30 May 2010
Posts: 2377
Location: Queensland

PostPosted: Sun 28 Sep 2014, 22:12    Post subject:  

N̶e̶w̶ ̶u̶p̶d̶a̶t̶e̶ ̶p̶a̶t̶c̶h̶ ̶0̶2̶7̶,̶ ̶c̶o̶m̶p̶i̶l̶e̶d̶ ̶i̶n̶ ̶C̶a̶r̶o̶l̶i̶n̶a̶.̶
New update patch 030, compiled in Carolina.

bash-4.3.30-1.pet

bash_DOC-4.3.30-1.pet

bash_NLS-4.3.30-1.pet

_________________
Carolina: Recent Repository Additions


Last edited by Geoffrey on Thu 14 May 2015, 15:29; edited 2 times in total
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1874
Location: Italy

PostPosted: Mon 29 Sep 2014, 03:42    Post subject:  

Geoffrey wrote:
New update patch 027, compiled in Carolina.
<CUT>
Frisbee appears to be working with this version


Good job. Tested working for puppy 4.3.1, slacko 5.3.3, lucid 5.28, wary 5.3, precise 5.7.1, slacko 5.7. It passes cimarron's test. Tested frisbee in precise and slacko: it's working with the new bash patch. Thanks.
Back to top
View user's profile Send private message 
Kester
Guest


PostPosted: Mon 29 Sep 2014, 06:35    Post subject:  

@michaellowe

Thanks for your post. I tried to log in with Spot but got the following:

# su --login spot
su: unrecognized option '--login'
BusyBox v1.21.0 (2013-02-18 15:57:06 WST) multi-call binary.

Usage: su [OPTIONS] [-] [USER]

Run shell under USER (by default, root)

-,-l Clear environment, run shell as login shell
-p,-m Do not set new $HOME, $SHELL, $USER, $LOGNAME
-c CMD Command to pass to 'sh -c'
-s SH Shell to use instead of user's default

#

Any further advice would be appreciated thanks.

Regards, Kester.
Back to top
Display posts from previous:   Sort by:   
Page 6 of 13 [186 Posts]   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8, ..., 11, 12, 13 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0707s ][ Queries: 12 (0.0101s) ][ GZIP on ]