Jump to content
metin2dev
Sign in to follow this  
Chyu ^^

bsd [FIX]Shellshock Bash Vulnerability

Recommended Posts

Hi devs,
I'm not a person who discovered this issue but I would like to share this with you.

According to source:
On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash's ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.

How to check if my machine is in a risk?
All you have to do is execute this code:

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

If your output is „Bash Test“, then you are safe and you can continue without any troubles. In oposite case you have to be worried, because your input is „Bash is vulnerable!“ and your machine is not safe.

How do I become safe?
You should update version of bash ASAP. You can do it easily by executing this command:

pkg upgrade bash

Attention:

Spoiler

Looks like the package is not yet available, so here is the manual procedure to build your own package from sources:

1, Be sure to upgrade your ports tree before trying to upgrade.

2, Move your shell to the ports directory and build


cd /usr/ports/shell/bash
make BATCH=yes build

3, Replace the old batch with


make BATCH=yes deinstall
make BATCH=yes reinstall

Now execute test program again and you should be safe, because it will give you correct output.

Sources:

  • Like 3
  • Thanks 1

Share this post


Link to post
Share on other sites
Quote

Linux® users are often surprised to find that Bash is not the default shell in FreeBSD. In fact, Bash is not included in the default installation. Instead, FreeBSD uses tcsh(1) as the default root shell, and the Bourne shell-compatible sh(1) as the default user shell. sh(1) is very similar to Bash but with a much smaller feature-set. Generally shell scripts written for sh(1) will run in Bash, but the reverse is not always true.

However, Bash and other shells are available for installation using the FreeBSD Packages and Ports Collection.

After installing another shell, use chsh(1) to change a user's default shell. It is recommended that the root user's default shell remain unchanged since shells which are not included in the base distribution are installed to /usr/local/bin. In the event of a problem, the file system where /usr/local/bin is located may not be mounted. In this case, rootwould not have access to its default shell, preventing root from logging in and fixing the problem.

"Linux® users are often surprised to find that Bash is not the default shell in FreeBSD. In fact, Bash is not included in the default installation."

 

don't get me wrong but FreeBSD is not at risk .. aside from that Thank you <3 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×