[opensuse] Shellshock attack?
![](https://seccdn.libravatar.org/avatar/c0deb892c8d6a59d3eb4b475c3d9c9dc.jpg?s=120&d=mm&r=g)
I found this error message in my root mail today: sh: line 77: syntax error near unexpected token `$'=\\(\\)\\ {\\ \\ eval\\ \\`/usr/share/Modules/\\$MODULE_VERSION/bin/modulecmd\\ bash\\ \\$\\*\\`"\n"}'' sh: line 77: `"}; export BASH_FUNC_module()' Does this look like a script is trying to exploit the shellshock vulnerability? Or is it a bug in the fix that now requires executable modules to start with BASH_FUNC_ ? Carlos FL -- Carlos F Lange Gaúcho nas Pradarias http://goo.gl/fvVhr -- Recursive: Adj. See Recursive. -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/45bf5eef0471996074efa055ea252116.jpg?s=120&d=mm&r=g)
El 09/10/14 a las #4, Carlos F. Lange escribió:
I found this error message in my root mail today:
sh: line 77: syntax error near unexpected token `$'=\\(\\)\\ {\\ \\ eval\\ \\`/usr/share/Modules/\\$MODULE_VERSION/bin/modulecmd\\ bash\\ \\$\\*\\`"\n"}'' sh: line 77: `"}; export BASH_FUNC_module()'
Does this look like a script is trying to exploit the shellshock vulnerability?
Yes, likely. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/4c349ee4615aa5dce0642567f4c256dc.jpg?s=120&d=mm&r=g)
On Thu, Oct 9, 2014 at 6:25 PM, Carlos F. Lange
Does this look like a script is trying to exploit the shellshock vulnerability?
Are you running any scheduled jobs with at? Do you have the "modules" package installed? Red Hat is attempting to work with the upstream developers of at to fix this issue [1]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1147043 Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/c0deb892c8d6a59d3eb4b475c3d9c9dc.jpg?s=120&d=mm&r=g)
On Thu, Oct 9, 2014 at 10:34 PM, Brandon Vincent
On Thu, Oct 9, 2014 at 6:25 PM, Carlos F. Lange
wrote: Does this look like a script is trying to exploit the shellshock vulnerability?
Are you running any scheduled jobs with at? Do you have the "modules" package installed?
I am not running any scheduled jobs with "at". I have "modules" installed. "Mpich" requires "modules".
Red Hat is attempting to work with the upstream developers of at to fix this issue [1].
"Description of problem: Customer applied shellshock update and now at is broken." Could it be that openSUSE uses "at" for some system activities? Carlos FL -- Carlos F Lange Gaúcho nas Pradarias http://goo.gl/fvVhr -- Recursive: Adj. See Recursive. -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/4c349ee4615aa5dce0642567f4c256dc.jpg?s=120&d=mm&r=g)
On Thu, Oct 9, 2014 at 10:01 PM, Carlos F. Lange
Could it be that openSUSE uses "at" for some system activities?
atq(1) while running as root should show scheduled at jobs for all users. Another way is to run an at job manually and see if you get any more mail. [root@example ~]# at now at> ls at> CTRL-D Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/c0deb892c8d6a59d3eb4b475c3d9c9dc.jpg?s=120&d=mm&r=g)
On Thu, Oct 9, 2014 at 11:07 PM, Brandon Vincent
On Thu, Oct 9, 2014 at 10:01 PM, Carlos F. Lange
wrote: Could it be that openSUSE uses "at" for some system activities?
atq(1) while running as root should show scheduled at jobs for all users.
Another way is to run an at job manually and see if you get any more mail.
[root@example ~]# at now at> ls at> CTRL-D
It must be something else. "atd" is not even running, so I can't use "at". I have a "cron" job, but it does not seem to be causing problems. -- Carlos F Lange Gaúcho nas Pradarias http://goo.gl/fvVhr -- Recursive: Adj. See Recursive. -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/4c349ee4615aa5dce0642567f4c256dc.jpg?s=120&d=mm&r=g)
On Thu, Oct 9, 2014 at 10:19 PM, Carlos F. Lange
It must be something else. "atd" is not even running, so I can't use "at". I have a "cron" job, but it does not seem to be causing problems.
Well, "/usr/share/Modules/" is part of Environment Modules, so this is definitely related. What was the subject line of the mail you received? Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/c0deb892c8d6a59d3eb4b475c3d9c9dc.jpg?s=120&d=mm&r=g)
On Thu, Oct 9, 2014 at 11:26 PM, Brandon Vincent
On Thu, Oct 9, 2014 at 10:19 PM, Carlos F. Lange
wrote: It must be something else. "atd" is not even running, so I can't use "at". I have a "cron" job, but it does not seem to be causing problems.
Well, "/usr/share/Modules/" is part of Environment Modules, so this is definitely related. What was the subject line of the mail you received?
The subject line was: "Output from your job 5" I had just logged in at the time of the email yesterday. Today's login did not trigger such email. -- Carlos F Lange Gaúcho nas Pradarias http://goo.gl/fvVhr -- Recursive: Adj. See Recursive. -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/4c349ee4615aa5dce0642567f4c256dc.jpg?s=120&d=mm&r=g)
On Thu, Oct 9, 2014 at 10:36 PM, Carlos F. Lange
The subject line was: "Output from your job 5"
That is an output from an at job. Out of curiosity, are you in an environment where you have shared home directories/mail forwarding setup from the root account? Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/c0deb892c8d6a59d3eb4b475c3d9c9dc.jpg?s=120&d=mm&r=g)
On Thu, Oct 9, 2014 at 11:54 PM, Brandon Vincent
On Thu, Oct 9, 2014 at 10:36 PM, Carlos F. Lange
wrote: The subject line was: "Output from your job 5"
That is an output from an at job. Out of curiosity, are you in an environment where you have shared home directories/mail forwarding setup from the root account?
No shared directories or mail forwarding. I looked everywhere for a script containing BASH_FUNC_module, but no luck. # env | grep BASH_FUNC BASH_FUNC_module()=() { eval `/usr/share/Modules/$MODULE_VERSION/bin/modulecmd bash $*` BASH_FUNC_mc()=() { . /usr/share/mc/mc-wrapper.sh These environment variables are in all my machines, so they seem legit. -- Carlos F Lange Gaúcho nas Pradarias http://goo.gl/fvVhr -- Recursive: Adj. See Recursive. -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/bff0c215e01f23fcee6fe49e65fae458.jpg?s=120&d=mm&r=g)
On Thu, Oct 09, 2014 at 07:25:02PM -0600, Carlos F. Lange wrote:
I found this error message in my root mail today:
sh: line 77: syntax error near unexpected token `$'=\\(\\)\\ {\\ \\ eval\\ \\`/usr/share/Modules/\\$MODULE_VERSION/bin/modulecmd\\ bash\\ \\$\\*\\`"\n"}'' sh: line 77: `"}; export BASH_FUNC_module()'
Does this look like a script is trying to exploit the shellshock vulnerability? Or is it a bug in the fix that now requires executable modules to start with BASH_FUNC_ ?
This is a bug in at (caused by the bash fixes), which we will release updates for. CIao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/c0deb892c8d6a59d3eb4b475c3d9c9dc.jpg?s=120&d=mm&r=g)
On Fri, Oct 10, 2014 at 12:10 AM, Marcus Meissner
This is a bug in at (caused by the bash fixes), which we will release updates for.
CIao, Marcus
Thanks Marcus! -- Carlos F Lange Gaúcho nas Pradarias http://goo.gl/fvVhr -- Recursive: Adj. See Recursive. -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/aea1d8248292e6482742234c5cb514de.jpg?s=120&d=mm&r=g)
Carlos F. Lange wrote:
I found this error message in my root mail today:
sh: line 77: syntax error near unexpected token `$'=\\(\\)\\ {\\ \\ eval\\ \\`/usr/share/Modules/\\$MODULE_VERSION/bin/modulecmd\\ bash\\ \\$\\*\\`"\n"}'' sh: line 77: `"}; export BASH_FUNC_module()'
Does this look like a script is trying to exploit the shellshock vulnerability?
Or is it a bug in the fix that now requires executable modules to start with BASH_FUNC_ ?
The fix DOES require adding an additional 10 characters to the beginning of every function name (in memory). The user function names won't change, but in memory they'll have the BASH_FUNC_ prepended. I tried to talk them out of it, or into something shorter, but was ignored. It looks like the above was trying to dynamically load a specific module from your /usr/share/Modules/VERSIONED/bin/modulecmd with arguments 'bash $*". The function did not terminal correctly because curly brackets are joined with adjacent text (they are not delimiters). I don't think that was always the case and I get caught by it now and then as I tend to place braces on the same lines... the above would have needed a "semicolon" between the "\n" and the '}'.... It looks accidental. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Brandon Vincent
-
Carlos F. Lange
-
Cristian Rodríguez
-
Linda Walsh
-
Marcus Meissner