Project

General

Profile

Issue #1041

BASH (aka shellshock) vulnerability - CVE-2014-[6271/6277/6278/7169/7186/7187]

Added by My Self almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Start date:
11/06/2014
Due date:
% Done:

0%

Estimated time:
Resolution:
fixed
Device:
Grant:

#1

Updated by Denis 'GNUtoo' Carikli almost 6 years ago

Hi,

There is an utility in f-droid to check for the vulnerability.
If you use it it'll tell that we're affected.

Do you know what do or can use bash in Replicant or f-droid?

I guess busybox or toolbox's shells are the ones that are used by default by almost everything.

Denis.

#2

Updated by Denis 'GNUtoo' Carikli almost 6 years ago

  • Category changed from 51 to Security
#3

Updated by My Self almost 6 years ago

You mean this tool for sure: https://f-droid.org/repository/browse/?fdfilter=shellshock&fdid=in.indiandragon.shellshock.shellshockvulnerabilityscan
The problem with this tool is:
- that it checkes one single vulnerability (CVE-2014-6271) (http://blog.indiandragon.in/2014/10/shellshock-vulnerability-in-android.html) and
- after I manually (and temporarily) switched to the patched BASH over the CWM flashable zip file:
https://dl.dropboxusercontent.com/s/zbed1om7hgb5iqb/Bash-signed.zip?dl=0
Source: http://forum.xda-developers.com/android/software-hacking/dev-lastest-bash-android-t2898295
this tool still says, that I'm vulnerable with my new BASH version.

The last point is strange, because I've manually tested the Replicant built in BASH with that (CVE-2014-6271)-exploit over the Terminal Emulator app:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
which was vulnerable, and after the replacement to the patched BASH, I definitely verified, that I'm not vulnerable to this exploit anymore, (with exactly the same test of course)...
Source & exploits for the other CVEs: https://shellshocker.net/

#4

Updated by Paul Kocialkowski almost 6 years ago

The commits from CyanogenMod cannot be fetched (even though they show up on the github website), please provide commits I can include directly in Replicant.

I don't like the idea of updating components versions, it makes things hard to maintain, so I prefer to backport patches (i.e. I want updates to be only security-related, not features-related). If there is no other way, I will consider bumping the version, but please try to find a way for me to integrate those patches in the current code.

#6

Updated by Paul Kocialkowski almost 6 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Everything pushed to the repositories, will be part of the next batch of images.

#7

Updated by Paul Kocialkowski almost 6 years ago

Note that the applications still says that it is vulnerable, but it may just be checking the bash version, which didn't change since I just backported the patches.

I tried with the script from: https://shellshocker.net/

Results on the 0002 images:

CVE-2014-6271 (original shellshock): VULNERABLE
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): VULNERABLE
bash: line 39: cd: /tmp: No such file or directory
CVE-2014-7169 (taviso bug): VULNERABLE
bash: line 50:  4872 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Results with the current repositories:

CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
bash: line 39: cd: /tmp: No such file or directory
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Also available in: Atom PDF