fixing ShellShock – the bash vulnerability exploit – how to fix it

I manage several different servers with different versions of Linux, Freebsd, OSX and cygwin.

The test for shellshock vulnerablity (from a command prompt, ssh or telnet):
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
showed that all but one were vulnerable.

On most of them, simply updating bash did the trick

But on an old freebsd (6.4) server, I had to download the latest bash sources, apply all the patches, and compile it from scratch. Here are the various steps I took.


cd
mkdir tmp
cd tmp
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
tar xzvf bash-4.3.tar.gz

At this point I have the latest bash-4.3 source ready to build, but it still contains the vulnerability, we have to patch it.

wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-001
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-002
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-003
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-004
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-005
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-006
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-007
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-008
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-009
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-010
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-011
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-012
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-013
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-014
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-015
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-016
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-017
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-018
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-019
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-020
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-021
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-023
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-024
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
cd bash-4.3
patch -p0 < ../bash43-001 patch -p0 < ../bash43-002 patch -p0 < ../bash43-003 patch -p0 < ../bash43-004 patch -p0 < ../bash43-005 patch -p0 < ../bash43-006 patch -p0 < ../bash43-007 patch -p0 < ../bash43-008 patch -p0 < ../bash43-009 patch -p0 < ../bash43-010 patch -p0 < ../bash43-011 patch -p0 < ../bash43-012 patch -p0 < ../bash43-013 patch -p0 < ../bash43-014 patch -p0 < ../bash43-015 patch -p0 < ../bash43-016 patch -p0 < ../bash43-017 patch -p0 < ../bash43-018 patch -p0 < ../bash43-019 patch -p0 < ../bash43-020 patch -p0 < ../bash43-021 patch -p0 < ../bash43-022 patch -p0 < ../bash43-023 patch -p0 < ../bash43-024 patch -p0 < ../bash43-025

the code is now patched, so we can configure, build and install it.


./configure
./make
sudo ./make install

now you should be able to start a new bash shell and run the vulnerability check and see it fail.

bash
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Please follow and like me:

Leave a Reply