*nix bash shell bug

kgha · September 25, 2014, 7:32am

Some of you may have read the headlines reporting of a newfound bug in most *nix systems (which includes Linux, MacOS, Android) that may open systems to vulnerable exploit.

As I understand it, no Android device has a bash shell installed by default. But since the FP is rooted, and clearly a lot of FP users like prodding the system, some of you may have installed a bash shell app. If you’re among them, I guess it is prudent to take caution and patch your batch package.

It would be great if someone more savvy could confirm that ‘ordinary users’ have no reason to worry.

Greetings from Karl (who has patched his Linux netbook…)

madde · September 25, 2014, 8:53am

Does this help you? https://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

Sure, you’re patched alright? My Fedora still seems to be vulnerable.

For Busybox on Android see here: https://twitter.com/tehowe/status/514859890662440961/photo/1

Edit: You might get some good answers here: http://forum.xda-developers.com/fairphone/help

madde · September 25, 2014, 9:25am

Shellshock seems to be an issue with Cyanogenmod.

kgha · September 25, 2014, 10:31am

Hi madde and thanks for the input. Yup, I found a patched bash package on a reliable repo out there (I’m on a slackware-based distro) and after installing the test script shows that I’m protected.

Found this information for Fedora users:

there are patched bash package updates available for F19, 20, 21.

But I still wonder if the vulnerability affects a stock Android install? Is there a hidden bash shell behind the curtains? Or does this only affect Android users who have installed a bash shell app?

Stefan · September 25, 2014, 10:37am

I installed Terminal Emulator from F-Droid on my FP OS, is it vulnerable, and how can I check this?

kgha · September 25, 2014, 10:59am

give the following command in the terminal (from first link in madde’s first post):

env x=‘() { :;}; echo vulnerable’ bash -c ‘echo hello’

If vulnerable, you’ll get the output

vulnerable
hello

(as shown in madde’s second post)

If not, the output is

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

(or maybe something completely different. Not sure about what Terminal Emulator can do. Maybe it doesn’t include a bash shell?)

Dominik · September 25, 2014, 1:10pm

Android ships the MirBSD Korn shell (mksh) (Android source, see also good mksh introduction for Android, “mksh vs. bash” ). It is standard (at least) since 4.0.

To see which shell your emulator is using, I suggest this commands as tests:

mksh
$ print $KSH_VERSION
outputs
@(#)MIRBSD KSH R40 2011/10/07 (at mine)
bash
$ bash --version
should output
GNU bash, Version [...]

(Android) Terminal Emulator App

The Terminal Emulator App ships with /system/bin/sh - as default shell (tested with version from F-Droid). So it emulates mksh. You can
find the used shell in the preferences.

kgha · September 25, 2014, 1:26pm

…meaning that, unless I’ve installed another shell, my FP won’t be affected by the ‘Shellshock’ (bash shell) bug - am I right when inferring this?

Stefan · September 25, 2014, 2:51pm

Thank you @Dominik for clarifying this. I did not know that there were more than one shells.

@kgha I tested the command env but it wasn’t found by the shell. So I think it does not work with mksh. On the other hand it tells me that Cyanogenmod uses bash and is vulnerable. Is that right? (@madde)

madde · September 25, 2014, 2:55pm

What exactly did you test? Screenshot would be helpful. I would be very surprised if mksh wouldn’t know env…

Stefan · September 25, 2014, 3:01pm

kgha · September 25, 2014, 3:06pm

I get a similar message:
/system/bin/sh: [2]: env: not found

(using another terminal emulator)

But, honestly, I’m not that eager to peek under the bonnet… I just wonder if Shellshock affects a bog standard Android system? Can’t find anything authoritative on the web, although there are a few threads suggesting/arguing that Android is indeed not affected unless you’ve installed a GNU/bash app, see e.g. https://news.ycombinator.com/item?id=8365110 or http://lcamtuf.blogspot.se/2014/09/quick-notes-about-bash-bug-its-impact.html

madde · September 25, 2014, 3:10pm

hmm… no /usr/bin/env on your phone as well?

Sounds like good news for FP owners by my limited knowledge…

kgha · September 25, 2014, 3:18pm

not even a /usr/bin folder… and /system/bin does not contain any /env file…

madde · September 25, 2014, 3:25pm

after a bit of research it seems like this is mainly a CM issue and most other Android systems are not affected. Lucky you…

kgha · September 25, 2014, 6:52pm

Yes, it’s a relief, I hope you’ve been able to patch your Fedora install without too much trouble (fixing CM might be more complicated unless a patch will be accessible soon)

keesj · October 2, 2014, 7:46am

Hi,

On normal web-servers this bug is quite serious because an external attacker gets the possibility to execute programs that run under the bash shell (e.g. an old CGI script for example). On Android phones very few programs will get input from “outside” and pass that to a shell because there is really no need for it (the Android interfaces are quite decent and the shell on Android is really limited). The attack surface is “non existent”. Also we do not run bash so this specific bug does not affect us. Still the Android command line tools have not received the same “love” as bash in terms of security/research so it probably is safe to assume they have a different set of problems !