Skip to content

Instantly share code, notes, and snippets.

@mattwhite
Last active August 29, 2015 14:06
Show Gist options
  • Save mattwhite/86de50d30134129e44ef to your computer and use it in GitHub Desktop.
Save mattwhite/86de50d30134129e44ef to your computer and use it in GitHub Desktop.
Compile Bash 3.2 from source for Debian Lenny to patch the shellshock vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187)
# inspired by http://askubuntu.com/a/528171 and the comments below
# build bash 3.2, though this should work for other versions as well
BASH_MAJOR=3
BASH_MINOR=2
# prerequisites
sudo apt-get install build-essential gettext bison
# get bash source
mkdir src && cd src
wget https://ftp.gnu.org/gnu/bash/bash-$BASH_MAJOR.$BASH_MINOR.tar.gz
tar zxvf bash-$BASH_MAJOR.$BASH_MINOR.tar.gz
cd bash-$BASH_MAJOR.$BASH_MINOR
# download, verify, and apply all available patches, which as of 2014-10-02
# include patches for CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278
# CVE-2014-7186, and CVE-2014-7187.
wget -nv -r 1 -nH -nd -np https://ftp.gnu.org/gnu/bash/bash-$BASH_MAJOR.$BASH_MINOR-patches/
wget -nv https://ftp.gnu.org/gnu/gnu-keyring.gpg
for i in bash$BASH_MAJOR$BASH_MINOR-???; do
if gpg --verify --keyring ./gnu-keyring.gpg $i.sig; then
if ! patch -p0 < $i; then
echo "patch $i failed"
exit 1
fi
else
echo "patch $i has a bad signature"
exit 2
fi
done
# compile and install to /usr/local/bin/bash
./configure && make
sudo make install
# point /bin/bash to the new binary
if /usr/local/bin/bash -c 'true'; then
if [ ! -f /bin/bash.old ]; then
sudo mv /bin/bash /bin/bash.old
sudo ln -s /usr/local/bin/bash /bin/bash
fi
else
echo "bash not installed correctly!"
exit 3
fi
# test each of the exploits on the old version of bash
echo "OLD BASH:"
env x='() { :;}; echo VULNERABLE to CVE-2014-6271' /bin/bash.old -c echo
env x='() { (a)=>\' /bin/bash.old -c "echo echo TEST" 2>/dev/null; cat echo 2>/dev/null; rm -f ./echo; echo "If you see 'echo TEST' above you are ok, if you just see 'TEST' you are VULNERABLE to CVE-2014-7169"
/bin/bash.old -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "VULNERABLE to CVE-2014-7186"
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | /bin/bash.old || echo "VULNERABLE to CVE-2014-7187"
# test each of the exploits on the new version of bash
echo "NEW BASH:"
env x='() { :;}; echo Vulnerable to CVE-2014-6271' bash -c echo
env x='() { (a)=>\' bash -c "echo echo TEST" 2>/dev/null; cat echo 2>/dev/null; rm -f ./echo; echo "If you see 'echo TEST' above you are ok, if you just see 'TEST' you are VULNERABLE to CVE-2014-7169"
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "VULNERABLE to CVE-2014-7186"
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "VULNERABLE to CVE-2014-7187"
echo "NOTE: CVE-2014-6277 and CVE-2014-6278 should be mitigated by these patches as well, but there is not yet a test for them."
@J-Damian
Copy link

Hi

I signed in here to comment THIS IMPORTANT ISSUE in your script (and forks as TonyFlint's).

The problem is the method to replace the vulnerable bash: a symbolic link to the patched bash. In my Debian 5 Lenny nodes, the /usr/local resides on A SEPARATE file system from the ROOT FILE SYSTEM, therefore /bin and /usr/local/bin reside on differente devices.

This causes an unbootable system because, in that case, the /bin/bash is not available to execute the scripts /etc/init.d/rcS, /etc/init.d/rc.

Therefore, instead of create a symbolic link, copy the patched binary bash into /bin.

Best regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment