// 2>/dev/null ; cat > bash-wrapper.c <<__EOF__ /* See http://seclists.org/oss-sec/2014/q3/650 also http://seclists.org/oss-sec/2014/q3/671 Wrap bash() with something which removes all env vars beginning () Errors, corrections, fixes, improvements, credits, beers, or money to nick-bashwrap@noseynick.net This is both C, and a shell tester / installer. You can probably: # wget -O- http://noseynick.net/files/bash-wrapper.txt | sh */ #include #include #include #include int main (int argc, char **argv, char **environ) { int i, o; /* Count how many environment variables we have. */ for (i=0; environ[i]; i++) {} /* reserve "enough" space for a copy of the whole env: */ char **envp = calloc(i+1, sizeof (char *)); /* Now selectively copy any env vars that DON'T contain "=()" * NOTE this is certainly not perfect, as we can't export FOO="BAR=()" * either, but this is a first attempt */ for (i=o=0; environ[i]; i++) { if (environ[i] && strstr(environ[i], "=()")) { fprintf(stderr, "EXPLOIT ATTEMPT? %s\n", environ[i]); } else { envp[o++]=environ[i]; /* safe to keep in env? */ } } /* terminate the list properly: */ envp[o] = NULL; /* exec the REAL bash: with the CLEAN envp */ return execve("/bin/bash.real", argv, envp); } /* Install / test script follows __EOF__ (ST='*'; echo "$ST/") >> bash-wrapper.c echo "### Building wrapper:" make bash-wrapper strip bash-wrapper chmod -v 755 bash-wrapper chown -v root:wheel bash-wrapper || chown -v root:root bash-wrapper echo "### First test - see http://seclists.org/oss-sec/2014/q3/650" FOO='() { echo foo; }; echo VULNERABLE' /bin/bash -c "echo test" \ | grep ^VULN && INST_WRAP=1 echo "### Second test - see http://seclists.org/oss-sec/2014/q3/671" FOO='() { (a)=>\' /bin/bash -c "testing-bash-wrapper echo VULNERABLE" cat testing-bash-wrapper 2>/dev/null && INST_WRAP=1 if [ "$INST_WRAP" ]; then rm -fv testing-bash-wrapper echo "### Installing wrapper:" mv -vi /bin/bash /bin/bash.real && mv -v bash-wrapper /bin/bash echo "### Re-testing:" FOO='() { (a)=>\' /bin/bash -c "testing-bash-wrapper echo VULNERABLE" fi cat testing-bash-wrapper 2>/dev/null || echo "### I THINK you are clean" rm -fv testing-bash-wrapper # end of test / install script */