Patching Shellshock vulnerability on Ubuntu Server 13.10

On September 24, 2014 a Bash vulnerability was discovered that could lead to arbitrary code execution. The bash shell is used in many operating systems, including Linux, BSD and Mac OS X.

After some testing I found out that my RamNode VPS (running Ubuntu Server 13.10) is vulnerable to the exploit. Sadly, this release of Ubuntu Server is unsupported and doesn't receive Bash updates!

Fortunately there is a way to manually update Bash and patch the vulnerability. In this post I'll show you how to check if your vulnerable and how to fix it.

Am I vulnerable?

There are currently 4 known exploits. You can test if you're vulnerable for each one by running the commands, or you can skip to the fix.

  • Exploit 1

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    If you see "vulnerable" you are at risk.
  • Exploit 2

    env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo
    If you see the current date, you are at risk.
  • Exploit 3

    bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
    You are at risk if your system echo's the text: "CVE-2014-7186 vulnerable, redir_stack"
  • Exploit 4

    (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
    echo "CVE-2014-7187 vulnerable, word_lineno"
    If your systems outputs "CVE-2014-7187 vulnerable, word_lineno" you are at risk.

The fix (Ubuntu 13.10)

In order to patch Ubuntu Server 13.10 you'll need to manually download and install a new Bash package.

  • Start by looking for the most recent version of Bash on the Debian Packages website.

  • Look for the package for your architecture. My VPS is a 32-bit machine so I downloaded the i386 package. For a 64-bit machine you'll need the amd64 package.

  • Download the package to your server using the wget command:

    wget [URL_of_package]
  • Install the new version of bash:

    sudo dpkg -i bash_4.3-9.2_i386.deb

This should fix exploit 1, 2 and 4 but not exploit 3.

Not a full patch yet

Keep in mind that the new version doesn't patch Shellshock entirely. Keep an eye on the package page of Bash for new versions. I'll also update this post is extra steps are required in the future.

Posted on