2

I have patched my system however CVE-2014-7169 claims that the fix for 6271 was incomplete. Sure enough if I run the command below:

env X='() { (a)=>\' sh -c "echo date"; cat echo

It appears that function parsing is still executing code as I do not get an error like I am supposed to. So if 6271 allowed an attacker to execute arbitrary commands at will, does this mean that after being patched you are still vulnerable per 7169 but not to the same extent? If so, does this mean an attacker can still exploit the bug but running arbitrary commands is no longer an option? How much more "secure" is this? Can someone provide an example?

rink.attendant.6
  • 2,227
  • 4
  • 22
  • 33
user53029
  • 2,657
  • 5
  • 24
  • 35

1 Answers1

1

They're the same vulnerability. CVE-2014-7169 was simply a bug found in the original patch for CVE-2014-6271 or "shell shock".

CVE-2014-7169 allows us to side-step the patch released for BASH that was rolled out alongside the original bug disclosure for CVE-2014-6271.

To test if your system is still vulnerable after applying the patch for CVE-2014-6271, simply type:

$ cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

If you can still pass characters from your environment variables into other environments, your version of BASH is vulnerable. If so, you should see the date appear on your screen, and a file called "echo" will be created in your /tmp/ directory.

To update BASH type the following, depending on your Linux distro:

yum update bash

or

apt-get update bash
theCowardlyFrench
  • 381
  • 2
  • 6
  • 1
    There's also a [seclists.org post](http://seclists.org/oss-sec/2014/q3/741) which indicates CVE-2014-7169 might still not be the end of it. – Iszi Sep 26 '14 at 18:16
  • @theCowardlyFrench - saying that the 2 are one in the same and/or better yet, saying that patching 6271 but leaving 7169 unpatched allows an attacker to perform the same exploits is conflicting with other information I have come across. See this thread - http://security.stackexchange.com/questions/68168/is-there-a-short-command-to-test-if-my-server-is-secure-against-the-shellshock-b. I have heard things like - A 6271 patched system is still vulnerable but only allows internal shell commands to be executed. Or things like 7169 cant be exploited remotely. Some clarification would be nice :) – user53029 Sep 26 '14 at 19:34