# Bash Vuln CVE-2014-6271 / CVE-2014-7169 - Fix/Notes

gistfile1.txt

#!/bin/sh
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3.tar.gz

wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-001
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-002
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-003
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-004
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-005
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-006
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-007
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-008
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-009
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-010
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-011
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-012
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-013
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-014
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-015
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-016
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-017
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-018
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-019
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-020
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-021
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-022
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-023
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-024
# CVE-2014-6271 Patch
wget http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025
# CVE-2014-7169 Patch
wget http://seclists.org/oss-sec/2014/q3/att-690/eol-pushback.patch

# wget http://mystagic.int/redtiger.patch

# Additional Protection - https://access.redhat.com/articles/1200223
wget https://access.redhat.com/sites/default/files/attachments/bash_ld_preload.c
gcc bash_ld_preload.c -fPIC -shared -Wl,-soname,bash_ld_preload.so.1 -o bash_ld_preload.so
cp bash_ld_preload.so /lib/bash_ld_preload.so
echo "/lib/bash_ld_preload.so" >> /etc/ld.so.preload  

# CVE-2014-6271 IPtables Rules Snips
#########################################################################################################
$IPTABLES -N LOGEXPWARN
$IPTABLES -A LOGEXPWARN -p tcp -m limit --limit 2/s --limit-burst 10 -j LOG --log-level 4 --log-prefix "Bash: (warning) -- " --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid        
#########################################################################################################
$IPTABLES -N LOGEXPLOIT
$IPTABLES -A LOGEXPLOIT -p tcp -m limit --limit 2/s --limit-burst 10 -j LOG --log-level 4 --log-prefix "Bash: (exploit) -- " --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
$IPTABLES -A LOGEXPLOIT -j DROP 
#########################################################################################################
$IPTABLES -N SHELLSHOCK
$IPTABLES -A SHELLSHOCK -p tcp -m string --hex-string '|43 6F 6F 6B 69 65 3A 20 28 29 20 7B|' --algo kmp -j LOGEXPLOIT
$IPTABLES -A SHELLSHOCK -p tcp -m string --hex-string '|48 6F 73 74 3A 20 28 29 20 7B|' --algo kmp -j LOGEXPLOIT
$IPTABLES -A SHELLSHOCK -p tcp -m string --hex-string '|52 65 66 65 72 65 72 3A 20 28 29 20 7B|' --algo kmp -j LOGEXPLOIT
$IPTABLES -A SHELLSHOCK -p tcp -m string --hex-string '|3A 20 28 29 20 7B|' --algo kmp -j LOGEXPWARN
$IPTABLES -A SHELLSHOCK -p tcp -m string --hex-string '|28 29 20 7B|' --algo kmp -j LOGEXPWARN
#########################################################################################################
$IPTABLES -A INPUT -p tcp --dport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j SHELLSHOCK
#########################################################################################################

wget -r --no-parent http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/