fork
02-10-2014, 08:26
Hallo zusammen,
nachdem ja die Bashlücke Shellshock sehr gravierend ist, sollte man die tunlichst schliessen.
Falls jemand zufällig Linux-Distributionen im Einsatz hat, die schon EOL sind, gibt's es auch
dafür keine Updates mehr.
Eine Alternative ist neukompilieren auf dem System. Z. B. mit diesen paar Befehlen:
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 28); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd ..
cd ..
rm -r src
...oder schlicht das bash-static binary nehmen aus den debian-security updates. Das läuft aber nur, wenn der Kernel nicht zu alt ist.
Hier noch ein Script, dass die bashes auch auf vielen Servern verteilen kann.
#!/bin/bash
#
# script upgrades bash and is doing a little test before overwriting the real bash
#
# prerequisites:
#
# - Default user "root" for ssh
# - Key based authentication for remote root is set up
# - bash binaries /tmp/bash32 and /tmp/bash64 exist
# - a host file with one hostname per line
#
if [ "$#" -lt 1 ]; then
echo "$(basename $0) : upgrade bash"
echo
echo "Usage: $(basename $0) [hosts-file]"
echo "hosts-file : file with vms/dedicated servers, one per line"
echo
exit 1
fi
if [ -n "$1" ]; then
if [ -r "$1" ] ; then
FILE="$1"
else
echo "Datei $2 nicht vorhanden/lesbar"
exit 1
fi
fi
if [ -f $FILE ]; then
for host in $(cat $FILE);do
printf "%-40s" "$host "
if ping -c1 -w1 $host >/dev/null 2>&1 ;then
echo -n " ."
if ssh $host date >/dev/null 2>&1 ; then
echo -n .
arch=$(ssh $host uname -m -o -r)
if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" 2>/dev/null | grep -q vulnerable; then
echo -n .
#echo " vulnerable($arch)"
if $(echo $arch | grep -qi linux) ; then
if $(echo $arch | grep -qi x86_64) ; then
if rsync /tmp/bash64 $host:/tmp; then
echo -n .
if ssh $host /tmp/bash64 -c nix=0 2>/dev/null; then
echo -n .
if ssh $host mv /tmp/bash64 /bin/bash ;then
echo -n .
if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" 2>/dev/null | grep -q vulnerable; then
echo "fix tried, but still vulnerable"
else
echo "fixed successfully"
fi
else
echo "Activating new bash failed on host"
fi
else
echo "fix not possible, bash binary not working on remote host"
fi
else
echo "copying new bash binary to remote host failed"
fi
fi
if $(echo $arch | grep -qi i[34567]86) ; then
if rsync /tmp/bash32 $host:/tmp; then
echo -n .
if ssh $host /tmp/bash32 -c nix=0 2>/dev/null; then
echo -n .
if ssh $host mv /tmp/bash32 /bin/bash ;then
echo -n .
if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" 2>/dev/null | grep -q vulnerable; then
echo "fix tried, but still vulnerable"
else
echo "fixed successfully"
fi
else
echo "Activating new bash failed on host"
fi
else
echo "fix not possible, bash binary not working on remote host"
fi
else
echo "copying new bash binary to remote host failed"
fi
fi
else
echo "Remote System not linux, skipping"
fi
else
echo " safe"
fi
else
echo " kein SSH-Auto-login"
fi
else
echo " nicht erreichbar"
fi
done
else
echo "Datei $FILE nicht gefunden"
fi
nachdem ja die Bashlücke Shellshock sehr gravierend ist, sollte man die tunlichst schliessen.
Falls jemand zufällig Linux-Distributionen im Einsatz hat, die schon EOL sind, gibt's es auch
dafür keine Updates mehr.
Eine Alternative ist neukompilieren auf dem System. Z. B. mit diesen paar Befehlen:
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 28); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 28);do patch -p0 < ../bash43-$i; done
#build and install
./configure --prefix=/ && make && make install
cd ..
cd ..
rm -r src
...oder schlicht das bash-static binary nehmen aus den debian-security updates. Das läuft aber nur, wenn der Kernel nicht zu alt ist.
Hier noch ein Script, dass die bashes auch auf vielen Servern verteilen kann.
#!/bin/bash
#
# script upgrades bash and is doing a little test before overwriting the real bash
#
# prerequisites:
#
# - Default user "root" for ssh
# - Key based authentication for remote root is set up
# - bash binaries /tmp/bash32 and /tmp/bash64 exist
# - a host file with one hostname per line
#
if [ "$#" -lt 1 ]; then
echo "$(basename $0) : upgrade bash"
echo
echo "Usage: $(basename $0) [hosts-file]"
echo "hosts-file : file with vms/dedicated servers, one per line"
echo
exit 1
fi
if [ -n "$1" ]; then
if [ -r "$1" ] ; then
FILE="$1"
else
echo "Datei $2 nicht vorhanden/lesbar"
exit 1
fi
fi
if [ -f $FILE ]; then
for host in $(cat $FILE);do
printf "%-40s" "$host "
if ping -c1 -w1 $host >/dev/null 2>&1 ;then
echo -n " ."
if ssh $host date >/dev/null 2>&1 ; then
echo -n .
arch=$(ssh $host uname -m -o -r)
if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" 2>/dev/null | grep -q vulnerable; then
echo -n .
#echo " vulnerable($arch)"
if $(echo $arch | grep -qi linux) ; then
if $(echo $arch | grep -qi x86_64) ; then
if rsync /tmp/bash64 $host:/tmp; then
echo -n .
if ssh $host /tmp/bash64 -c nix=0 2>/dev/null; then
echo -n .
if ssh $host mv /tmp/bash64 /bin/bash ;then
echo -n .
if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" 2>/dev/null | grep -q vulnerable; then
echo "fix tried, but still vulnerable"
else
echo "fixed successfully"
fi
else
echo "Activating new bash failed on host"
fi
else
echo "fix not possible, bash binary not working on remote host"
fi
else
echo "copying new bash binary to remote host failed"
fi
fi
if $(echo $arch | grep -qi i[34567]86) ; then
if rsync /tmp/bash32 $host:/tmp; then
echo -n .
if ssh $host /tmp/bash32 -c nix=0 2>/dev/null; then
echo -n .
if ssh $host mv /tmp/bash32 /bin/bash ;then
echo -n .
if ssh $host "env x='() { :;}; echo vulnerable' bash -c 'echo hello'" 2>/dev/null | grep -q vulnerable; then
echo "fix tried, but still vulnerable"
else
echo "fixed successfully"
fi
else
echo "Activating new bash failed on host"
fi
else
echo "fix not possible, bash binary not working on remote host"
fi
else
echo "copying new bash binary to remote host failed"
fi
fi
else
echo "Remote System not linux, skipping"
fi
else
echo " safe"
fi
else
echo " kein SSH-Auto-login"
fi
else
echo " nicht erreichbar"
fi
done
else
echo "Datei $FILE nicht gefunden"
fi