Shellshock vulnerability fix for legacy systems

    For distributions with live support, Shellshock is removed by simply updating the bash package. But if updates are no longer available, solving the problem will be more difficult. There are only two working options - to update bash in a different way or to abandon bash in favor of another shell-interpreter.

    1. Install from a package from the Debian wheezy repository to Debian lenny.

    We give /etc/apt/source.list from

    deb lenny main contrib
    deb lenny/updates main contrib


    deb lenny main
    deb lenny/updates main
    deb lenny-backports main
    deb wheezy main contrib
    deb wheezy/updates main contrib

    Make sure that you do not have a / etc / apt / preference file whose settings might interfere with the installation of software from wheezy repositories. After that, add the key with which packages are signed in wheezy and update the package database and install the bash-static package.

    # apt-key adv --recv-keys --keyserver 8B48AD6246925553
    # apt-get update && apt-get install -y bash-static

    We check the installed bash-static and where / bin / sh points now:

    # ls -la /bin/sh /bin/bash*
    -rwxr-xr-x 1 root root 700492 Май 12 2008 /bin/bash
    -rwxr-xr-x 1 root root 1410128 Апр 10 2010 /bin/bash-static
    lrwxrwxrwx 1 root root 4 Окт 1 00:32 /bin/sh -> bash

    Next, it is important to carefully follow the steps:

    # mv /bin/bash /bin/bash.old && ln -s bash-static /bin/bash

    We check the result, it should turn out like this:

    # ls -la /bin/sh /bin/bash*
    lrwxrwxrwx 1 root root 11 Окт 1 00:51 /bin/bash -> bash-static
    -rwxr-xr-x 1 root root 700492 Май 12 2008 /bin/bash.old
    -rwxr-xr-x 1 root root 1410128 Апр 10 2010 /bin/bash-static
    lrwxrwxrwx 1 root root 4 Окт 1 00:32 /bin/sh -> bash

    Make sure that everything is ok with the shell before logging out of the system. For example, trying to log in from another console. Since in case the shell specified for the user is unavailable (usually in / etc / passwd), you can lose the ability to access the system again.

    After the operation is completed, it is worth commenting in /etc/apt/source.list

    #deb wheezy main contrib
    #deb wheezy/updates main contrib

    2. Other distributions.

    For other distributions, you can try the static bash build from Debian wheezy or the build from (compiled in step 3)

    You can download the Debian package here:

    # wget

    The file is unzipped either by the dpkg utility (relevant for older versions of ubuntu) or the ar archiver. The latter comes as part of the binutils package.

    # mkdir tmp
    # dpkg -x bash-static_4.1-3_i386.deb tmp/


    # ar x bash-static_4.1-3_i386.deb

    Be sure to save the old version of bash in /bin/bash.old before uploading the downloaded binary there.

    3. Self-compilation

    This may be necessary if you have an old kernel and bash from wheezy does not work with complaints about the absence of any system call, if another operating system is used, as well as for cases where assembly with some then special options.

    Bash has a somewhat tricky system of uploading source codes: separately there is an archive of a certain version (in our case 4.3) and a separate directory with patches for errors that were found from the moment of its release until the appearance of an updated version. Therefore, we download both of them for the independent installation of patches. On Debian lenny, it would look like this:

    Install the necessary packages for compilation. To do this, you may need to configure the repositories in the correct way for archives, as is the case with lenny in the first paragraph.

    # apt-get install libc-dev gcc automake autoconf make patch

    For CentOS, accordingly, will be

    # yum install glibc-devel glibc-static make automake autoconf patch

    # cd /usr/src
    # wget
    # tar xzf bash-4.3.tar.gz
    # cd bash-4.3
    # wget -cr --reject 'index.*' --reject '*.sig' -l1
    # find -type f | sort -u |  xargs -l1 -I % cat % | patch -p0

    To avoid the "multiple definition of` free` "error, use the --without-bash-malloc option

    # ./configure --enable-static-link --without-bash-malloc --enable-job-control --enable-history
    # make
    # strip bash

    Copy the resulting bash to / bin and use it instead of the system bash as described previously:

    # cp bash /bin/ && mv /bin/bash /bin/bash.old && ln -s /bin/bash

    Binary files collected in this way on pure Debian 5 and CentOS 5 can be downloaded here:

    4) If you can’t compile bash yourself or pull it out from other distributions, you can opt out of bash and use some some other shell interpreter, for example, / bin / dash. Rename / bin / bash to /bin/bash.vulnerable and create a symbolic link / bin / bash leading to an alternate interpreter.

    There is some risk in this, because scripts containing bashisms will stop working - code specific for bash. If this turns out to be startup or important system scripts, this can lead to system inoperability. But for such scripts, if you are sure that they will not be called in a hostile environment, you can explicitly indicate the original bash at the beginning of the file with the interpreter: #! / Bin / bash.vulnerable

    Update the procedure for obtaining the key for wheezy has been added

    Also popular now: