CVE-2014-6277 is still vulnerable after fixbash

[theonlydoo]

Hello!
This one liner sums it up:

 apt-get install make curl gcc patch; curl https://shellshocker.net/shellshock_test.sh | bash || curl https://shellshocker.net/fixbash | sh ; curl https://shellshocker.net/shellshock_test.sh | bash

Outputs, at the end:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2533  100  2533    0     0   5754      0 --:--:-- --:--:-- --:--:--  5932
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 :  2683 Erreur de segmentation  bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Even if compilation is successful, sometimes it's on very similar hosts.
Any idea of a workaround/bugfix?

[theonlydoo]

The error seems to come from the cp /bin/bash /usr/local/bin/bash, when I force it it fully overwrites the bash binary and the CVE is fixed.
The command outputs an error: Text file busy

[theonlydoo]

it also seems, on some distros that you need to have some components of build-essential, in addition to gcc, patch, make, curl

[ciryon02]

Hello, I'm on Ubuntu 14.04 64 bits and still have the issue.
yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 4782 0 --:--:-- --:--:-- --:--:-- 4779
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 15317 Erreur de segmentation (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

[theonlydoo]

if you run the cp /bin/bash /usr/local/bin/bash by yourself, do you still have vunlerability after that ?

[ciryon02]

yann@yann-desktop:~$ cp /bin/bash /usr/local/bin/bash
cp: impossible de créer le fichier standard «/usr/local/bin/bash»: Permission non accordée

[theonlydoo]

you can try with sudo cp ...

[ciryon02]

Ok, with sudo : nothing appears after the command :
yann@yann-desktop:$ sudo cp /bin/bash /usr/local/bin/bash
[sudo] password for yann:
yann@yann-desktop:$

[theonlydoo]

redo the tests

[ciryon02]

yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 4449 0 --:--:-- --:--:-- --:--:-- 4451
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 2858 Erreur de segmentation (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

[theonlydoo]

did you installed build-essential ? You should read the logs during compile or do it by hand by reading the script and reproducing steps in it

[ciryon02]

what is build-essential ? (I am not a pro linux user by the way, I know a little in command line but I've never compiled anything)

[theonlydoo]

You must start somewhere heh :)
sudo apt-get install build-essential

[ciryon02]

I've installed it, what does this program do ?

[theonlydoo]

it provides the tools to build your bash, try to start again fixbash in sudo

[ciryon02]

yann@yann-desktop:$ sudo fixbash
[sudo] password for yann:
sudo: fixbash: command not found
yann@yann-desktop:$

[theonlydoo]

lol I guess you're realy new at using linux :-)
curl https://shellshocker.net/fixbash | sudo sh

[ciryon02]

I use Ubuntu since a few years. but use only basic command line command so far.
yann@yann-desktop:~$ curl https://shellshocker.net/fixbash | sudo sh
[sudo] password for yann: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3562 100 3562 0 0 5540 0 --:--:-- --:--:-- --:--:-- 5539

[theonlydoo]

and now you can try to test your bash again

[ciryon02]

yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 4376 0 --:--:-- --:--:-- --:--:-- 4382
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 7592 Erreur de segmentation (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

[theonlydoo]

with make patch gcc and build-essential installed ?

[ciryon02]

I don't do "make patch gcc" this was not indicated in your previous answers. If I do it, I get :
yann@yann-desktop:$ make patch gcc
make: *** Pas de règle pour fabriquer la cible « patch ». Arrêt.
yann@yann-desktop:$

[mhensler]

@ciryon02, that should have been a list "with make, patch, gcc, and build-essential installed" not a command to run. @theonlydoo was just asking you to confirm that the listed tools had all been installed.

[ciryon02]

I've just installed build essential.

[theonlydoo]

@ciryon02 you need to install patch make gcc build-essential; then you need to start again the fixbash command line on shellshocker.net. If you have another problem around the compilation, you'll need to wait for the next merge.

[ciryon02]

What do you mean by "install patch make gcc build-essential" ? gcc, make and build-essential are already installed
yann@yann-desktop:$ sudo apt-get install patch make gcc build-essential
[sudo] password for yann:
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
build-essential est déjà la plus récente version disponible.
gcc est déjà la plus récente version disponible.
make est déjà la plus récente version disponible.
patch est déjà la plus récente version disponible.
0 mis à jour, 0 nouvellement installés, 0 à enlever et 1 non mis à jour.
yann@yann-desktop:$

I've also retyped the shellshocket commande line
yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 3666 0 --:--:-- --:--:-- --:--:-- 3671
CVE-2014-6271 (original shellshock): not vulnerable
bash : ligne 16 : 8148 Erreur de segmentation (core dumped) bash -c "f() { x() { _;}; x() { _;} <<a; }" 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

[theonlydoo]

did you tryied to curl again the fixbash script ?
curl https://shellshocker.net/fixbash | sh
please try to use markdown so your pastes are a bit more readable ...
https://guides.github.com/features/mastering-markdown/

[ciryon02]

@theonlydoo Hello, I did'nt know about markdowns, I know about bbcode for phbforums but did'nt know the "equivalent" here.
So I ran the script and I am not vulnerable anymore; I just hope that the official Ubuntu update (when it will be available) does not break anything.

yann@yann-desktop:$ curl https://shellshocker.net/shellshock_test.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2533 100 2533 0 0 4496 0 --:--:-- --:--:-- --:--:-- 4499
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
yann@yann-desktop:$

PS : I used the addr markdown for the code part but it does not seems to be different

[theonlydoo]

it wont break anything, you'll juste have to run make clean and install the new package :)

[ciryon02]

oki doki 👍