I got tired of the hysteria surrounding the recently discovered "shellshock" vulnerability in bash, so I've created a mitigation for it. It is loosely based on an old stunt I learned as a university sys admin in the late 90's for restricting user host logins. The shells were replaced with symlinks to a small C program which performed our checking before exec'ing the real shell. This seemed to work just fine with respect to pipes (stdin/stdout/stderr) and process ID's, so I thought I'd try the same approach here.

The code is bash_shock_fix.c, and the detached signature is bash_shock_fix.c.asc. My public key is linked from my home page, and if accessing via https, the TLS certificate is verifiable via DNSSEC/DANE/TLSA, such as automatically handled in the DNSSEC/TLSA Validator plugin web browser plugin.

cd /bin
gcc -std=c11 -Wall -Wextra bash_shock_fix.c -o bash_shock_fix
mv bash bash.real
ln -s bash_shock_fix bash

phoenix(pts/1):~bin# ls -al bash*
lrwxrwxrwx 1 root root      14 Sep 27 00:23 bash -> bash_shock_fix
-rwxr-xr-x 1 root root 1029624 Sep 24 14:51 bash.real
-rwxr-xr-x 1 root root    9555 Sep 27 00:23 bash_shock_fix
-rw-r--r-- 1 root root    2990 Sep 27 00:23 bash_shock_fix.c
phoenix(pts/1):~bin#

Basically, if some program invokes /bin/bash, control first passes to this code which truncates suspicious environment variables. (and it dumps messages to the system log if/when it finds anything...) If your system has bash installed in other locations such as /usr/bin/bash or /usr/local/bin/bash, you'll want to fix those as well.

The code uses a regular expression to match for any variety of white space such as

but feel free to update it for whatever other stupid things bash allows.

I verified the fix with the latest vulnerability tests (as of 9/26/2014), and it appears this tactic is working with no noticeable breaks on my public facing systems. I have not yet tried rebooting with it (why ruin my uptime?), but since my Debian systems use dash for /bin/sh, this filter is only affecting things that specifically invoke bash.

I'd be happy if others find it useful, so feel free to give it a spin. Okay, here's the formal stuff.... modeled after OpenBSD:

/*
 * Copyright (c) 2014 David Holl, Jr.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */