Project

General

Profile

Actions

Issue #1041

closed

BASH (aka shellshock) vulnerability - CVE-2014-[6271/6277/6278/7169/7186/7187]

Added by My Self almost 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Start date:
11/06/2014
Due date:
% Done:

0%

Estimated time:
Resolution:
fixed
Device:
Grant:
Type of work:

Actions #1

Updated by Denis 'GNUtoo' Carikli almost 10 years ago

Hi,

There is an utility in f-droid to check for the vulnerability.
If you use it it'll tell that we're affected.

Do you know what do or can use bash in Replicant or f-droid?

I guess busybox or toolbox's shells are the ones that are used by default by almost everything.

Denis.

Actions #2

Updated by Denis 'GNUtoo' Carikli almost 10 years ago

  • Category changed from 51 to Security
Actions #3

Updated by My Self almost 10 years ago

You mean this tool for sure: https://f-droid.org/repository/browse/?fdfilter=shellshock&fdid=in.indiandragon.shellshock.shellshockvulnerabilityscan
The problem with this tool is:
- that it checkes one single vulnerability (CVE-2014-6271) (http://blog.indiandragon.in/2014/10/shellshock-vulnerability-in-android.html) and
- after I manually (and temporarily) switched to the patched BASH over the CWM flashable zip file:
https://dl.dropboxusercontent.com/s/zbed1om7hgb5iqb/Bash-signed.zip?dl=0
Source: http://forum.xda-developers.com/android/software-hacking/dev-lastest-bash-android-t2898295
this tool still says, that I'm vulnerable with my new BASH version.

The last point is strange, because I've manually tested the Replicant built in BASH with that (CVE-2014-6271)-exploit over the Terminal Emulator app:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
which was vulnerable, and after the replacement to the patched BASH, I definitely verified, that I'm not vulnerable to this exploit anymore, (with exactly the same test of course)...
Source & exploits for the other CVEs: https://shellshocker.net/

Actions #4

Updated by Paul Kocialkowski almost 10 years ago

The commits from CyanogenMod cannot be fetched (even though they show up on the github website), please provide commits I can include directly in Replicant.

I don't like the idea of updating components versions, it makes things hard to maintain, so I prefer to backport patches (i.e. I want updates to be only security-related, not features-related). If there is no other way, I will consider bumping the version, but please try to find a way for me to integrate those patches in the current code.

Actions #6

Updated by Paul Kocialkowski almost 10 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Everything pushed to the repositories, will be part of the next batch of images.

Actions #7

Updated by Paul Kocialkowski almost 10 years ago

Note that the applications still says that it is vulnerable, but it may just be checking the bash version, which didn't change since I just backported the patches.

I tried with the script from: https://shellshocker.net/

Results on the 0002 images:

CVE-2014-6271 (original shellshock): VULNERABLE
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): VULNERABLE
bash: line 39: cd: /tmp: No such file or directory
CVE-2014-7169 (taviso bug): VULNERABLE
bash: line 50:  4872 Segmentation fault      bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null
CVE-2014-7186 (redir_stack bug): VULNERABLE
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Results with the current repositories:

CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
bash: line 39: cd: /tmp: No such file or directory
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Actions

Also available in: Atom PDF