Issue #1041
closedBASH (aka shellshock) vulnerability - CVE-2014-[6271/6277/6278/7169/7186/7187]
0%
Description
I hope it's a good idea to open a bug ticket about the forum topic: http://redmine.replicant.us/boards/9/topics/6729
Summary
Replicant is (at the moment) vulnerable to the shellshock vulnerabilities.
Two patches "CVE-2014-6271 and CVE-2014-7169" are merged to Replicant in the meanwhile:
https://gitorious.org/replicant/external_bash/commits/64368c6fd95e4f749e6133398ad4d5fce3c9b940
But there are some more issues:
https://access.redhat.com/security/cve/CVE-2014-7186
https://access.redhat.com/security/cve/CVE-2014-7187
https://access.redhat.com/security/cve/CVE-2014-6277
https://access.redhat.com/security/cve/CVE-2014-6278
with available patches:
https://github.com/CyanogenMod/android_external_bash/commit/027626f9f273edf1c435c223f93768ec6dcc5301
https://github.com/CyanogenMod/android_external_bash/commit/bd2cb35e07e5cef774220e8b57bace207f162e50
https://github.com/CyanogenMod/android_external_bash/commit/369692c969182053c3a8f81775fa022934e3bd95
https://github.com/CyanogenMod/android_external_bash/commit/658bb3b21b2923f5e37dfe1ae2262fac5297d1af
Alternativly I would really appreciate it if the whole BASH version could be updated.
Here is the version "4.3.30" as a open source and shellshock fixed version, which I've successfully tested with Replicant 4.2:
https://github.com/3lo0sh/bash-arm
Updated by Denis 'GNUtoo' Carikli over 9 years ago
Hi,
There is an utility in f-droid to check for the vulnerability.
If you use it it'll tell that we're affected.
Do you know what do or can use bash in Replicant or f-droid?
I guess busybox or toolbox's shells are the ones that are used by default by almost everything.
Denis.
Updated by Denis 'GNUtoo' Carikli over 9 years ago
- Category changed from 51 to Security
Updated by My Self over 9 years ago
You mean this tool for sure: https://f-droid.org/repository/browse/?fdfilter=shellshock&fdid=in.indiandragon.shellshock.shellshockvulnerabilityscan
The problem with this tool is:
- that it checkes one single vulnerability (CVE-2014-6271) (http://blog.indiandragon.in/2014/10/shellshock-vulnerability-in-android.html) and
- after I manually (and temporarily) switched to the patched BASH over the CWM flashable zip file:
https://dl.dropboxusercontent.com/s/zbed1om7hgb5iqb/Bash-signed.zip?dl=0
Source: http://forum.xda-developers.com/android/software-hacking/dev-lastest-bash-android-t2898295
this tool still says, that I'm vulnerable with my new BASH version.
The last point is strange, because I've manually tested the Replicant built in BASH with that (CVE-2014-6271)-exploit over the Terminal Emulator app:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
which was vulnerable, and after the replacement to the patched BASH, I definitely verified, that I'm not vulnerable to this exploit anymore, (with exactly the same test of course)...
Source & exploits for the other CVEs: https://shellshocker.net/
Updated by Paul Kocialkowski over 9 years ago
The commits from CyanogenMod cannot be fetched (even though they show up on the github website), please provide commits I can include directly in Replicant.
I don't like the idea of updating components versions, it makes things hard to maintain, so I prefer to backport patches (i.e. I want updates to be only security-related, not features-related). If there is no other way, I will consider bumping the version, but please try to find a way for me to integrate those patches in the current code.
Updated by Paul Kocialkowski over 9 years ago
Nevermind, I found a way to export the patches: https://github.com/CyanogenMod/android_external_bash/commit/027626f9f273edf1c435c223f93768ec6dcc5301.patch
Updated by Paul Kocialkowski over 9 years ago
- Status changed from New to Closed
- Resolution set to fixed
Everything pushed to the repositories, will be part of the next batch of images.
Updated by Paul Kocialkowski over 9 years ago
Note that the applications still says that it is vulnerable, but it may just be checking the bash version, which didn't change since I just backported the patches.
I tried with the script from: https://shellshocker.net/
Results on the 0002 images:
CVE-2014-6271 (original shellshock): VULNERABLE CVE-2014-6277 (segfault): not vulnerable CVE-2014-6278 (Florian's patch): VULNERABLE bash: line 39: cd: /tmp: No such file or directory CVE-2014-7169 (taviso bug): VULNERABLE bash: line 50: 4872 Segmentation fault bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2> /dev/null CVE-2014-7186 (redir_stack bug): VULNERABLE CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Results with the current repositories:
CVE-2014-6271 (original shellshock): not vulnerable CVE-2014-6277 (segfault): not vulnerable CVE-2014-6278 (Florian's patch): not vulnerable bash: line 39: cd: /tmp: No such file or directory CVE-2014-7169 (taviso bug): not vulnerable CVE-2014-7186 (redir_stack bug): not vulnerable CVE-2014-7187 (nested loops off by one): not vulnerable CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable