Monday, September 29, 2014

Shellshock: Patching GNU bash from source

Bash compilation notes, if you want to compile bash yourself. If you have an older version of bash and do not want to wait for your vendor, and you do not want to upgrade to the most latest version like 4.3. The patches for shellshock or CVE-2014-6271 are available for all the bash versions. However, early fixes have not been stable and the attack vectors are still evolving, so we still need to keep an eye on the developments.

Check what version you have by:
bash --version

Let's say I am running an old version of bash v 3.00

Before patching, I see that the trailing code after the function definition is getting executed:


[test@test ~]# env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello

Step 1: Download the bash source (base version) from:
http://ftp.gnu.org/gnu/bash/


wget http://ftp.gnu.org/gnu/bash/bash-3.0.tar.gz


Step 2: Get all the patches for bash 3.0 from the patches location and save them in a directory say patches:

mkdir patches

http://ftp.gnu.org/gnu/bash/bash-3.0-patches/

Save them as bash30-001.patch etc,  i.e. with a patch extension for easy handling.


[test@test patches]# ls
bash30-001.patch  bash30-005.patch  bash30-009.patch  bash30-013.patch  bash30-017.patch
bash30-002.patch  bash30-006.patch  bash30-010.patch  bash30-014.patch  bash30-018.patch
bash30-003.patch  bash30-007.patch  bash30-011.patch  bash30-015.patch  bash30-019.patch
bash30-004.patch  bash30-008.patch  bash30-012.patch  bash30-016.patch

Step 3: Extract bash and copy patches to the src dir:


[test@test bash_test]# tar -xvzf bash-3.0.tar.gz

Copy the patches to the extracted bash source directory:


[test@test bash-3.0]# cp ../patches/*.patch .

Step 4: Apply the patches:


[test@test bash-3.0]# for x in *.patch; do patch -p0 < $x; done


Step 5: Confirm that it got applied, second last line says 19:


[root@cap bash-3.0]# cat patchlevel.h
...
#define PATCHLEVEL 19

#endif /* _PATCHLEVEL_H_ */


Step 6: Compile bash:


./configure ; make ; make install

Step 7: After patching, test:


[test@test bash-3.0]# env x='() { :;}; echo vulnerable' bash -c 'echo hello'
hello
The statement echo vulnerable, did not execute.
I am not sure if this test is complete, as there are other ways to exploit it as well. I saw some of them here:
http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/

Nevertheless, there have been 3 bash patches so far, and I have applied all of them.




Extras: 

If you just want the compiled package and want to install it on different machines, then just use --prefix=destination_directory, like:


./configure --prefix=/home/test/compiled; make ; make install

This generates 4 directories (bin, info, man and share)

tarball it, so that you can distribute it to different machines:


cd /home/test/compiled

tar -cvzf bash_3.0.19_patched_binary.tar.gz bin/ info/ man/ share/

Before you extract the files in your root directory, make a backup of old bash binary in /bin/bash.

mv /bin/bash /bin/bash_old

Extraction:

tar -xvzf bash_3.0.19_patched_binary.tar.gz -C /


References:

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an

http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/


No comments:

Post a Comment