Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Sep 2014 13:58:07 -0500
From:      Jason Hellenthal <jhellenthal@dataix.net>
To:        Jung-uk Kim <jkim@FreeBSD.org>
Cc:        freebsd-security <freebsd-security@freebsd.org>, Mike Tancsa <mike@sentex.net>, freebsd-ports <freebsd-ports@freebsd.org>, Bryan Drewery <bdrewery@FreeBSD.org>
Subject:   Re: bash velnerability
Message-ID:  <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net>
In-Reply-To: <542AFC54.9010405@FreeBSD.org>
References:  <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com>	<00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com>	<54243F0F.6070904@FreeBSD.org>	<54244982.8010002@FreeBSD.org>	<16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu>	<542596E3.3070707@FreeBSD.org> <CAHcXP%2Bdx2etYgQPNiAxk2P68Z-4j%2BbTvdMoHfz%2BxKsBDKh9Z9g@mail.gmail.com> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
echo "Testing Exploit 1 (CVE-2014-6271)"
CVE6271=3D"$(env x=3D'() { :;}; echo -n V' bash -c : 2>/dev/null)"
[ "${CVE7187}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT =
VULNERABLE"

echo "Testing Exploit 2 (CVE-2014-7169)"
CVE7169=3D"$(env X=3D'() { (4lpi.com)=3D>\' bash -c "echo date" =
2>/dev/null; cat echo 2>/dev/null; rm -f echo)"
[ ! "${CVE7169}" =3D=3D "date" ] && echo "VULNERABLE" || echo "NOT =
VULNERABLE"

echo "Testing Exploit 3 (CVE-2014-6277)"
CVE6277=3D"$(env -i X=3D' () { }; echo -n V' bash -c :)"
[ "${CVE6277}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT =
VULNERABLE"

echo "Testing Exploit 4 (CVE-2014-7186)"
CVE7186=3D"$(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF =
<<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null ||echo -n V)"
[ "${CVE7186}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT =
VULNERABLE"

echo "Testing Exploit 5 (CVE-2014-7187)"
CVE7187=3D"$((for x in {1..200}; do echo "for x$x in ; do :"; done; for =
x in {1..200}; do echo done; done) |bash 2>/dev/null ||echo -n V)"
[ "${CVE7187}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT =
VULNERABLE=94

Good luck ;-)

On Sep 30, 2014, at 13:54, Jung-uk Kim <jkim@FreeBSD.org> wrote:

> On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
>> On 9/29/2014 11:01 AM, Mike Tancsa wrote:
>>> On 9/26/2014 5:01 PM, Bryan Drewery wrote:
>>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote:
>>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote:
>>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>>>>>>> Apparently, the full fix is still not delivered, accordingly to =
this:
>>>>>>> http://seclists.org/oss-sec/2014/q3/741
>>>>>>>=20
>>>>>>> Kind regards,
>>>>>>> Bartek Rutkowski
>>>>>>>=20
>>>>>>=20
>>>>>> I'm pretty sure they call that a "feature". This is a bit =
different.
>>>>=20
>>>> I've disabled environment function importing in the port. Using
>>>> --import-functions will allow it to work if you need it.
>>>=20
>>> Hi Bryan,
>>>    With the latest ports, bashcheck still sees some issues with =
bash.
>>> Are these false positives on FreeBSD ?
>>>=20
>>> Using
>>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
>>>=20
>>> Not vulnerable to CVE-2014-6271 (original shellshock)
>>> Not vulnerable to CVE-2014-7169 (taviso bug)
>>> ./bashcheck: line 18: 54908 Segmentation fault      (core dumped) =
bash
>>> -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
>>> Vulnerable to CVE-2014-7186 (redir_stack bug)
>>> Test for CVE-2014-7187 not reliable without address sanitizer
>>> Variable function parser inactive, likely safe from unknown parser =
bugs
>>>=20
>>>    ---Mike
>>=20
>> Yes we have not applied the RedHat fix for CVE-2014-7186 or =
CVE-2014-7187.
>=20
> Applying the first patch for parse.y from the following post passed =
the
> tests for me.
>=20
> http://www.openwall.com/lists/oss-security/2014/09/25/32
>=20
> In fact, all major Linux distros seem to use it now.
>=20
> FYI,
>=20
> Jung-uk Kim
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to =
"freebsd-security-unsubscribe@freebsd.org"

--=20
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellenthal@DataIX.net
 JJH48-ARIN

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2366B611-36BB-4543-9EEA-4777CCC9D127>