I got tired of the hysteria surrounding the recently discovered "shellshock" vulnerability in bash, so I've created a mitigation for it. It is loosely based on an old stunt I learned as a university sys admin in the late 90's for restricting user host logins. The shells were replaced with symlinks to a small C program which performed our checking before exec'ing the real shell. This seemed to work just fine with respect to pipes (stdin/stdout/stderr) and process ID's, so I thought I'd try the same approach here.
The code is bash_shock_fix.c, and the detached signature is bash_shock_fix.c.asc. My public key is linked from my home page, and if accessing via https, the TLS certificate is verifiable via DNSSEC/DANE/TLSA, such as automatically handled in the DNSSEC/TLSA Validator plugin web browser plugin.
cd /bin gcc -std=c11 -Wall -Wextra bash_shock_fix.c -o bash_shock_fix mv bash bash.real ln -s bash_shock_fix bash phoenix(pts/1):~bin# ls -al bash* lrwxrwxrwx 1 root root 14 Sep 27 00:23 bash -> bash_shock_fix -rwxr-xr-x 1 root root 1029624 Sep 24 14:51 bash.real -rwxr-xr-x 1 root root 9555 Sep 27 00:23 bash_shock_fix -rw-r--r-- 1 root root 2990 Sep 27 00:23 bash_shock_fix.c phoenix(pts/1):~bin#
Basically, if some program invokes /bin/bash, control first passes to this code which truncates suspicious environment variables. (and it dumps messages to the system log if/when it finds anything...) If your system has bash installed in other locations such as /usr/bin/bash or /usr/local/bin/bash, you'll want to fix those as well.
The code uses a regular expression to match for any variety of white space such as
I verified the fix with the latest vulnerability tests (as of 9/26/2014), and it appears this tactic is working with no noticeable breaks on my public facing systems. I have not yet tried rebooting with it (why ruin my uptime?), but since my Debian systems use dash for /bin/sh, this filter is only affecting things that specifically invoke bash.
I'd be happy if others find it useful, so feel free to give it a spin. Okay, here's the formal stuff.... modeled after OpenBSD:
/* * Copyright (c) 2014 David Holl, Jr. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */