Login Form

Shellshock security patch for Ubuntu

Shellshock vulnerability is another reason for which we should never say “impossible” when it comes to security. The shellshock vulnerability dates back to bash version 1.13 and exploits the way bash shell handles environment variables.

Hackers can exploit this vulnerability by driving bash to wrongly interpret and execute any shell command in Linux based systems.

While all current linux distributions have security patches for this vulnerability, we can’t say the same thing about older linux distributions and embedded devices.

Checking shellshock vulnerability in Ubuntu

In Ubuntu, open a terminal and run this command:

1
env x='() { :;}; echo UNPROTECTED' bash -c 'echo COMPLETED'

If you see UNPROTECTED outputted in your console, your server is vulnerable to shellshock attacks, see the image below:

Shellshock Security Test

Shellshock security patch for current Ubuntu releases

For current Ubuntu releases that hadn’t reached their End of Life status, the patch is quite simple to apply. Just run these commands in a terminal and you’re safe:

1
2
sudo apt-get update
sudo apt-get install --only-upgrade bash

Shellshock security patch for old Ubuntu releases

If you run an older Ubuntu release, which doesn’t have support for security updates, you should consider upgrading to latest Ubuntu LTS version or to replace its bash shell with a newer version, which has a patch for the shellshock bug.

On old Ubuntu versions you’ll have to build bash from source. Recompiling bash in Ubuntu 8.04 LTS requires GCC and MAKE. If you don’t have them installed you’ll have to update your sources.list file with some new mirrors.

Installing gcc and make on Ubuntu

The first step requires an update of your sources.list file. To update, open /etc/apt/sources.list file and replace its content with the following lines:

1
2
3
deb http://old-releases.ubuntu.com/ubuntu/ hardy main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ hardy-updates main restricted universe multiverse
deb http://old-releases.ubuntu.com/ubuntu/ hardy-security main restricted universe multiverse

Close the file and save it!

Now you should update your package list using

1
sudo apt-get update

and continue by installing gcc and make

1
2
sudo apt-get install gcc
sudo apt-get install make

Building and installing a patched bash version on Ubuntu

Go to your /src directory or simple create one to download, patch and build a new version of BASH shell.

Go to /src, download a new version of bash shell and all its patches:

1
2
3
cd /src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
for i in $(seq -f "%03g" 0 25); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done

Unzip and apply all patches:

1
2
3
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done

Compiling and installing bash:

1
2
3
sudo ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc
sudo make
sudo make install

Test again for shellshock vulnerability

1
env x='() { :;}; echo UNPROTECTED' bash -c 'echo COMPLETED'

You should only see COMPLETED text outputted at this point.

The above procedure was tested on Ubuntu 12.10 and Ubuntu 8.04. It should work for all Ubuntu releases, but you’ll have to replace hardy with a corresponding release name in sources.list file.