CVE-2014-6271 ShellShock Bash Exploit

(Andrew Nagy) #63

It’s instant. No reboot required.

(TheJames) #64

This is the root of the exploit. Bash executes enviroment variables when called. If bash was run out of memory then this wouldn’t be a problem because environment would be toast on reboot.


Isn’t bash loaded into memory?

(TheJames) #66

It’s not that simple…

If you are at a prompt yes that is in memory. If another task starts it launches a new instance it doesn’t use your loaded instance. ENV links the instances… So anything new that is run will have the new bash. Yes the session you are in will have the bash that was launched but if you launch, it will fork in to a new instance of bash.

This is demonstrated in another little toy

 : ( ) {   : | : &   } ; :

I added a whole bunch of little spaces for safety… DON’T RUN IT.

This is a cool little 1 liner that forks bash over and over very rapidly until your server poops it self (3-5 seconds). This is because bash forks.

(Andrew Nagy) #67

Tagging onto what @jfinstrom said. The same concept works with FreePBX. When you install “framework” it overwrites the files that you have loaded. When you navigate beyond the install page a “new” instance is created and you’ll see the new changes.

(Intechtel) #68

I ran the check on one of my systems and it came back clean, but I went ahead and upgraded to 12 anyhow. Afetr upgrading i re-ran the check and I get this warning about the UCP module being tampered.

WARNING: Module ucp has issues. Run script again with that module name as the param

I followed the instructions, re-ran the check again, same issue. Is it even possible that the module was tampered with from the repo?