Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to revert shellshocker? #37

Open
dionysius opened this issue Oct 3, 2014 · 13 comments
Open

How to revert shellshocker? #37

dionysius opened this issue Oct 3, 2014 · 13 comments

Comments

@dionysius
Copy link

Debian squeeze-lts here. I'd like to stick to the repository packages when they've patched the vulnerabilities. How can I revert the changes made by shellshocker fix script?

@dionysius dionysius changed the title How to uninstall shellshocker? How to revert shellshocker? Oct 3, 2014
@wreiske
Copy link
Owner

wreiske commented Oct 3, 2014

Have you tried just running an apt-get install bash?

@dionysius
Copy link
Author

bash-4.3# dpkg -l | grep bash
dpkg -l | grep bash
ii bash 4.1-3+deb6u2 The GNU Bourne Again SHell

bash-4.3# bash --version
bash --version
GNU bash, Version 4.3.29(1)-release (x86_64-unknown-linux-gnu)

they're not the same. I assume 4.3 is the shellshocker, but have updated bash recently and got 4.1. The shellshocker variant seems to be active.

@mhensler
Copy link
Contributor

mhensler commented Oct 3, 2014

Can you show the output of which bash as well as the path to the bash binary from dpkg?

@wreiske
Copy link
Owner

wreiske commented Oct 3, 2014

Any reason why you don't want to use the most up to date version of bash? (4.3.29)

You'll need to find where your package manager installed bash. (try whereis bash, which bash, etc).

Have you tried going into the build directory "~/bash-shellshocker/bash-4.3" and running a make uninstall?

Sorry, i'm away from my keyboard right now so I can't help much at the moment.

@dionysius
Copy link
Author

Actually its also good not to have the most recent version. the old version of openssl saved me tons of trouble cause of the heartbleed bug. it was older than first implemented.

back to topic:

Yes bash was updated after shellshocker fix script.

~# whereis bash
bash: /bin/bash /etc/bash.bashrc /usr/local/bin/bash /usr/share/man/man1/bash.1.gz
~# which bash
/usr/local/bin/bash

And no problem, this issue has not to hurry

@wreiske
Copy link
Owner

wreiske commented Oct 4, 2014

I ran a make clean and it seemed to remove it.

@mhensler
Copy link
Contributor

mhensler commented Oct 7, 2014

@dionysius, can you confirm that make clean resolves your issue?

@dionysius
Copy link
Author

Yes absolutely. Curious i didn't catch that point myself

Am Dienstag, 7. Oktober 2014 um 20:29 schrieb Mark Hensler:

@dionysius (https://github.com/dionysius), can you confirm that make clean resolves your issue?


Reply to this email directly or view it on GitHub (#37 (comment)).

@BlackBrix
Copy link

you should provide a detailed "uninstall" instruction on your shellshocker -website,
how one can get back to the "stock" bash version of the package-manager of the distribution.

because after installing your shellshock patch script,
the bash package will get no (regular) updates at all via the package-manager (e.g. APT) in future (!)

Because after some time the different Linux-distributions will provide full patched (or backported) bash versions themselves,
and then the admins and users want to go back to the "regular" bash versions maintained automatically by their package-manager (e.g. APT)...

@ma0ho
Copy link

ma0ho commented Oct 17, 2014

Hmm.. I have the same issue but a make clean in "~/bash-shellshocker/bash-4.3" does not resolve the problem for me. I also tried make uninstall with no effect.

which bash outputs "/bin/bash"
bash --version sais "GNU bash, version 4.3.30(2)-release"
dpkg -l | grep bash sais "4.2+dfsg-0.1+deb7u3"

I'd also like to get the default one back to ensure updates etc. Any suggestions?

@ma0ho
Copy link

ma0ho commented Oct 17, 2014

Ok, just found a solution by myself. I un- and then re-installed the bash package. This is what I did:

  1. Change the login shell of your user and root: vim /etc/passwd
  2. Logout and relogin (you should now be logged in with /bin/sh)
  3. Run apt-get remove bash and apt-get install bash

Now it worked again (for me). Please not that this procedure is not without risk. Make a system backup before proceeding!

@BlackBrix
Copy link

"make clean" and "make uninstall" did unfortunately NOT work on my side too ...

@ma0ho
thanks for your hint but it didn't work for me Debian 6 / Debian 7,
everything messed up then and had to restore the backup :-/

would be good if the authors of shellshocker tell somthing about that issue,
but I think they have turned to new tasks ...

@BlackBrix
Copy link

@ma0ho
OK now I managed it:
quite often under debian /bin/sh is already** a symlink to /bin/bash (the new bash which we want to uninstall),
so for debian* do:
0. make a complete backup.

  1. Change the login shell of your user and root from /bin/bash to /bin/sh where necessary (e.g. by using editor vim /etc/passwd)
  2. Change the symlink /bin/sh to point/link to the debian distri-shell -> bin/dash
  3. Logout and relogin (you should now be logged in with /bin/dash)
  4. Run apt-get remove bash -f
  5. see if there are still the following files present and delete them manually if necessary:
    /bin/bash
    /bin/bashbug
    /usr/local/bin/bash
    /usr/local/bin/bashbug
  6. Run apt-get install bash
  7. run whereis bash and see if the output is
    bash: /bin/bash /etc/bash.bashrc /usr/share/man/man1/bash.1.gz
  8. try to open a bash shell by just typing bash
    and run bash --version then
    and see if the output is the latest Debian distri version e.g.:
    GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
  9. Change back the symlink /bin/sh to point/link to the bash -> bin/bash
  10. Change back the login shell of your user and root from /bin/sh to /bin/bash where necessary (e.g. by using editor vim /etc/passwd)
  11. Logout completely from all (nested) shells (exit several times) and relogin (you should now be logged in with /bin/bash)
  12. test again (with root- and user- logins):
    # which bash
    /bin/bash
    # whereis bash
    bash: /bin/bash /etc/bash.bashrc /usr/share/man/man1/bash.1.gz
    # bash --version
    GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu) ...
  13. finally: delete the folder /root/bash-shellshocker and all its containing files and subfolders
  14. now you're clean again ...

15.) optional:
do
apt-get update
apt-get upgrade
and then check with
curl https://shellshocker.net/shellshock_test.sh | bash
you should see 7 times not vulnerable
because "debian 7" and "debian 6 lts" versions of bash are already updated/backported the right way...


*(tested under debian 7 and debian 6 lts)

**(because typical "debian-webserver-installation-instructions" contains the recommendation to use
dpkg-reconfigure dash at the very beginning
and then
Use dash as the default system shell (/bin/sh)?
answered with No)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants
@dionysius @ma0ho @mhensler @wreiske @BlackBrix and others