UPWORK/ODESK guru: Tips and Tricks for clients

skype: upwork.link , email: info@upwork.link

Bash: CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-6277

without comments

Test of problems with CVE-2014-7186 и CVE-2014-7187:

   bash -c "true $(printf '</dev/null
   if [ $? != 0 ]; then
      echo -e "Vulnerable to CVE-2014-7186"
   fi

   bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
   if [ $? != 0 ]; then
      echo -e "Vulnerable to CVE-2014-7187"
   fi

Test script for shellshocker and related vulnerabilities.(https://github.com/hannob/bashcheck)
The Bash vulnerability that is now known as shellshock had an incomplete fix at first. There are currently 4 public and one supposedly non-public vulnerability.

CVE-2014-6271 The original vulnerability.
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

CVE-2014-7169
Further parser error, found by Tavis Ormandy (taviso)
ttps://twitter.com/taviso/status/514887394294652929
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

CVE-2014-7186
Out of bound memory read error in redir_stack.
ttp://seclists.org/oss-sec/2014/q3/712
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186

CVE-2014-7187
Off-by-one error in nested loops. (check only works when Bash is built with -fsanitize=address)
ttp://seclists.org/oss-sec/2014/q3/712
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

CVE-2014-6277
Not yet published parser bug by Michal Zalewski (lcamtuf).
ttp://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html
ttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277

Last (2014-10-22):


#!/bin/bash

warn() {
	if [ "$scary" == "1" ]; then
		echo -e "\033[91mVulnerable to $1\033[39m"
	else
		echo -e "\033[93mFound non-exploitable $1\033[39m"
	fi
}

good() {
	echo -e "\033[92mNot vulnerable to $1\033[39m"
}

tmpdir=`mktemp -d -t tmp.XXXXXXXX`

[ -n "$1" ] && bash=$(which $1) || bash=$(which bash)
echo -e "\033[95mTesting $bash ..."
$bash -c 'echo "Bash version $BASH_VERSION"'
echo -e "\033[39m"

#r=`a="() { echo x;}" $bash -c a 2>/dev/null`
if [ -n "$(env 'a'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[91mVariable function parser active, maybe vulnerable to unknown parser bugs\033[39m"
	scary=1
elif [ -n "$(env 'BASH_FUNC_a%%'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [%%, upstream], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env 'BASH_FUNC_a()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [(), redhat], bugs not exploitable\033[39m"
	scary=0
elif [ -n "$(env '__BASH_FUNC()'="() { echo x;}" $bash -c a 2>/dev/null)" ]; then
	echo -e "\033[92mVariable function parser pre/suffixed [__BASH_FUNC<..>(), apple], bugs not exploitable\033[39m"
	scary=0
else
	echo -e "\033[92mVariable function parser inactive, bugs not exploitable\033[39m"
	scary=0
fi


r=`env x="() { :; }; echo x" $bash -c "" 2>/dev/null`
if [ -n "$r" ]; then
	warn "CVE-2014-6271 (original shellshock)"
else
	good "CVE-2014-6271 (original shellshock)"
fi

pushd $tmpdir > /dev/null
env x='() { function a a>\' $bash -c echo 2>/dev/null > /dev/null
if [ -e echo ]; then
	warn "CVE-2014-7169 (taviso bug)"
else
	good "CVE-2014-7169 (taviso bug)"
fi
popd > /dev/null

$($bash -c "true $(printf '<$tmpdir/bashcheck.tmp)
ret=$?
grep AddressSanitizer $tmpdir/bashcheck.tmp > /dev/null
if [ $? == 0 ] || [ $ret == 139 ]; then
	warn "CVE-2014-7186 (redir_stack bug)"
else
	good "CVE-2014-7186 (redir_stack bug)"
fi


$bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
if [ $? != 0 ]; then
	warn "CVE-2014-7187 (nested loops off by one)"
else
	echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
fi

$($bash -c "f(){ x(){ _;};x(){ _;}</dev/null)
if [ $? != 0 ]; then
	warn "CVE-2014-6277 (lcamtuf bug #1)"
else
	good "CVE-2014-6277 (lcamtuf bug #1)"
fi

if [ -n "$(env x='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env BASH_FUNC_x%%='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
elif [ -n "$(env 'BASH_FUNC_x()'='() { _;}>_[$($())] { echo x;}' $bash -c : 2>/dev/null)" ]; then
	warn "CVE-2014-6278 (lcamtuf bug #2)"
else
	good "CVE-2014-6278 (lcamtuf bug #2)"
fi

rm -rf $tmpdir

Leave a Reply

*