Fix shellshock vulnerability for legacy systems
For distributions with current support, the Shellshock vulnerability is fixed by simply updating the bash package. But if updates are no longer being released, solving the problem will be more difficult. There are only two working options - update bash in another way or refuse bash in favor of another shell interpreter.
1. Installing from a package from the Debian wheezy repository in Debian lenny.
')
Here is the /etc/apt/source.list of
to
Make sure that you do not have the / etc / apt / preference file whose settings might interfere with the installation of the wheezy repositories. After that, we add the key that the packages are subscribed to in wheezy and update the package database and install the bash-static package.
Check the installed bash-static and where / bin / sh is pointing now:
Next, it is important to carefully perform the actions:
Checking the result should be like this:
Make sure the shell is all right before logging out of the system. For example, having tried to log in from another console. Since in case of unavailability of the shell specified for the user (as a rule in / etc / passwd), you can lose the ability to access the system again.
After performing the operation, it is worth commenting out in /etc/apt/source.list
2. Other distributions.
For other distributions, you can try the bash static build from Debian wheezy or the ftp.ssnab.net/pub/bash build (compiled in point 3)
Download the Debian package here: packages.debian.org/wheezy/bash-static
The file is unzipped either by the dpkg utility (relevant for older ubuntu versions) or by the archiver ar. The latter comes as part of the binutils package.
or
Be sure to save the old version of bash to /bin/bash.old before uploading the downloaded binary.
3. Self compilation
This may be necessary if you have an old kernel and bash from wheezy does not work with complaints about the absence of any system call, if another operating system is used, and also for those cases when you need an assembly with some special options.
Bash has a somewhat tricky system of laying out source codes: there is a separate archive of a certain version (in our case, 4.3) and a separate directory with patches for errors that have been found since its release until the updated version. Therefore, download both for self-installation of patches. On Debian lenny, it will look like this:
Install the necessary packages for compilation. To do this, you may need to set up the correct repository for archives, as is the case with lenny in the first paragraph.
For CentOS, respectively, will
To avoid the “multiple definition of` free` ”error, use the --without-bash-malloc option.
The resulting bash is copied to / bin and use it instead of the system bash according to the scheme described earlier:
Binary files compiled this way on pure Debian 5 and CentOS 5 can be downloaded here: ftp.ssnab.net/pub/bash
4) If you are unable to build bash yourself or pull it out of other distributions, you can still opt out of bash and use some other shell interpreter, for example, / bin / dash. Rename / bin / bash to /bin/bash.vulnerable and create a symbolic link / bin / bash leading to an alternative interpreter.
There is a bit of risk in this, as scripts containing bashisms, a code specific to bash, will stop working. If it turns out to be startup or important system scripts, it can lead to system malfunction. But for such scripts, if you are sure that they will not be called in a hostile environment, you can explicitly specify the original bash at the beginning of the file: #! / Bin / bash.vulnerable
Update added key acquisition procedure for wheezy
1. Installing from a package from the Debian wheezy repository in Debian lenny.
')
Here is the /etc/apt/source.list of
deb http://ftp.debian.org/debian lenny main contrib deb http://security.debian.org/ lenny/updates main contrib to
deb http://archive.debian.org/debian lenny main deb http://archive.debian.org/debian-security lenny/updates main deb http://archive.debian.org/backports.org lenny-backports main deb http://ftp.debian.org/debian wheezy main contrib deb http://security.debian.org/ wheezy/updates main contrib Make sure that you do not have the / etc / apt / preference file whose settings might interfere with the installation of the wheezy repositories. After that, we add the key that the packages are subscribed to in wheezy and update the package database and install the bash-static package.
# apt-key adv --recv-keys --keyserver pgp.mit.edu 8B48AD6246925553 # apt-get update && apt-get install -y bash-static Check the installed bash-static and where / bin / sh is pointing now:
# ls -la /bin/sh /bin/bash* -rwxr-xr-x 1 root root 700492 12 2008 /bin/bash -rwxr-xr-x 1 root root 1410128 10 2010 /bin/bash-static lrwxrwxrwx 1 root root 4 1 00:32 /bin/sh -> bash Next, it is important to carefully perform the actions:
# mv /bin/bash /bin/bash.old && ln -s bash-static /bin/bash Checking the result should be like this:
# ls -la /bin/sh /bin/bash* lrwxrwxrwx 1 root root 11 1 00:51 /bin/bash -> bash-static -rwxr-xr-x 1 root root 700492 12 2008 /bin/bash.old -rwxr-xr-x 1 root root 1410128 10 2010 /bin/bash-static lrwxrwxrwx 1 root root 4 1 00:32 /bin/sh -> bash Make sure the shell is all right before logging out of the system. For example, having tried to log in from another console. Since in case of unavailability of the shell specified for the user (as a rule in / etc / passwd), you can lose the ability to access the system again.
After performing the operation, it is worth commenting out in /etc/apt/source.list
#deb http://ftp.debian.org/debian wheezy main contrib #deb http://security.debian.org/ wheezy/updates main contrib 2. Other distributions.
For other distributions, you can try the bash static build from Debian wheezy or the ftp.ssnab.net/pub/bash build (compiled in point 3)
Download the Debian package here: packages.debian.org/wheezy/bash-static
# wget http://security.debian.org/debian-security/pool/updates/main/b/bash/bash-static_4.2+dfsg-0.1+deb7u3_i386.deb The file is unzipped either by the dpkg utility (relevant for older ubuntu versions) or by the archiver ar. The latter comes as part of the binutils package.
# mkdir tmp # dpkg -x bash-static_4.1-3_i386.deb tmp/ or
# ar x bash-static_4.1-3_i386.deb Be sure to save the old version of bash to /bin/bash.old before uploading the downloaded binary.
3. Self compilation
This may be necessary if you have an old kernel and bash from wheezy does not work with complaints about the absence of any system call, if another operating system is used, and also for those cases when you need an assembly with some special options.
Bash has a somewhat tricky system of laying out source codes: there is a separate archive of a certain version (in our case, 4.3) and a separate directory with patches for errors that have been found since its release until the updated version. Therefore, download both for self-installation of patches. On Debian lenny, it will look like this:
Install the necessary packages for compilation. To do this, you may need to set up the correct repository for archives, as is the case with lenny in the first paragraph.
# apt-get install libc-dev gcc automake autoconf make patch For CentOS, respectively, will
# yum install glibc-devel glibc-static make automake autoconf patch # cd /usr/src # wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz # tar xzf bash-4.3.tar.gz # cd bash-4.3 # wget -cr --reject 'index.*' --reject '*.sig' -l1 http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ # find ftp.gnu.org/gnu/bash/bash-4.3-patches/ -type f | sort -u | xargs -l1 -I % cat % | patch -p0 To avoid the “multiple definition of` free` ”error, use the --without-bash-malloc option.
# ./configure --enable-static-link --without-bash-malloc --enable-job-control --enable-history # make # strip bash The resulting bash is copied to / bin and use it instead of the system bash according to the scheme described earlier:
# cp bash /bin/bash.new && mv /bin/bash /bin/bash.old && ln -s bash.new /bin/bash Binary files compiled this way on pure Debian 5 and CentOS 5 can be downloaded here: ftp.ssnab.net/pub/bash
4) If you are unable to build bash yourself or pull it out of other distributions, you can still opt out of bash and use some other shell interpreter, for example, / bin / dash. Rename / bin / bash to /bin/bash.vulnerable and create a symbolic link / bin / bash leading to an alternative interpreter.
There is a bit of risk in this, as scripts containing bashisms, a code specific to bash, will stop working. If it turns out to be startup or important system scripts, it can lead to system malfunction. But for such scripts, if you are sure that they will not be called in a hostile environment, you can explicitly specify the original bash at the beginning of the file: #! / Bin / bash.vulnerable
Update added key acquisition procedure for wheezy
Source: https://habr.com/ru/post/238903/
All Articles