Jump to content

Shellshock Bash Vulnerability


Recommended Posts

  • Bot

Hi devs,
I'm not a person who discovered this issue but I would like to share this with you.

According to source:
On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash's ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.

How to check if my machine is in a risk?
All you have to do is execute this code:

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

If your output is „Bash Test“, then you are safe and you can continue without any troubles. In oposite case you have to be worried, because your input is „Bash is vulnerable!“ and your machine is not safe.

How do I become safe?
You should update version of bash ASAP. You can do it easily by executing this command:

pkg upgrade bash

Attention:

Spoiler

Looks like the package is not yet available, so here is the manual procedure to build your own package from sources:

1, Be sure to upgrade your ports tree before trying to upgrade.

2, Move your shell to the ports directory and build



cd /usr/ports/shell/bash
make BATCH=yes build

3, Replace the old batch with



make BATCH=yes deinstall
make BATCH=yes reinstall

Now execute test program again and you should be safe, because it will give you correct output.

Sources:

  • Good 1
  • Love 4

english_banner.gif

Link to comment
Share on other sites

  • 4 months later...
  • Former Staff
Quote

Linux® users are often surprised to find that Bash is not the default shell in FreeBSD. In fact, Bash is not included in the default installation. Instead, FreeBSD uses tcsh(1) as the default root shell, and the Bourne shell-compatible sh(1) as the default user shell. sh(1) is very similar to Bash but with a much smaller feature-set. Generally shell scripts written for sh(1) will run in Bash, but the reverse is not always true.

However, Bash and other shells are available for installation using the FreeBSD Packages and Ports Collection.

After installing another shell, use chsh(1) to change a user's default shell. It is recommended that the root user's default shell remain unchanged since shells which are not included in the base distribution are installed to /usr/local/bin. In the event of a problem, the file system where /usr/local/bin is located may not be mounted. In this case, rootwould not have access to its default shell, preventing root from logging in and fixing the problem.

"Linux® users are often surprised to find that Bash is not the default shell in FreeBSD. In fact, Bash is not included in the default installation."

 

don't get me wrong but FreeBSD is not at risk .. aside from that Thank you <3 

  • Good 2
Link to comment
Share on other sites

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.