tag:blogger.com,1999:blog-37798047.post665522008809478274..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Bash 'shellshock' bug as big as HeartbleedDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-37798047.post-39252754599069504662014-09-29T08:54:49.701-04:002014-09-29T08:54:49.701-04:00Lolo, I disagree. While I agree that the most freq...Lolo, I disagree. While I agree that the most frequent most obvious hole is cgi-bin spawned from Apache, there are other targets. For instance you could have an exec() statement (or one of the related ones) inside a php script.<br />You yourself might not be directly affected, but a (small?) percentage of servers on the internet are hackable right now. A small percentage of half a billion servers is not nothing.<br />There are various stat-reporting packages that are cgi-bin based and other standard tools. Hackers will be scouring the internet for servers that have that. We will see shellshock scans for a long to come probably.Unknownhttps://www.blogger.com/profile/14669654147218335104noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-30273068539856943562014-09-29T08:42:24.479-04:002014-09-29T08:42:24.479-04:00False, wrong, hoax, the bug is not affecting every...False, wrong, hoax, the bug is not affecting everyone on the web, but just those having specific websites using (insecure) cgi-bin.<br />Why are people so crazy about it, I don't know. For myself, I won't update bash. I don't see the necessity. Heartbleed was indeed a bigger big deal.Anonymoushttps://www.blogger.com/profile/02611738315043493544noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-43739083602152191702014-09-27T04:36:25.355-04:002014-09-27T04:36:25.355-04:00In other news: NetBSD and FreeBSD now offer a buil...In other news: NetBSD and FreeBSD now offer a build-time option that enables function imports from envvars (disabled by default) for the bash port.<br /><br />To quote:<br /><br />> It is not wise to expose bash's parser to the internet and then debug it live while being attacked.Xiatianhttps://www.blogger.com/profile/00802434282819313866noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-62854215543106595322014-09-26T21:43:11.596-04:002014-09-26T21:43:11.596-04:00ps. GNU site today made available patch 26 which p...ps. GNU site today made available patch 26 which plugs the hole completely.... It compiles from source without too much hassle. Careful installing! By default it goes in /usr/local somewhere, which won't be good enough. Copying it to /bin/bash you'd have to chmod o+rx afterwards.Unknownhttps://www.blogger.com/profile/14669654147218335104noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-74099776813210487782014-09-26T17:14:23.813-04:002014-09-26T17:14:23.813-04:00CUPS can run shell filters. Most of them have #!/...CUPS can run shell filters. Most of them have #!/bin/sh, textonly has #!/bin/bash (WTF?). So on Debian and Ubuntu systems that symlink /bin/dash to /bin/sh, no real problem except for textonly.<br /><br />Now CUPS isn't normally exposed outside a firewall (unless you happen to have it on your laptop and connect to a public wifi network).<br /><br />I do agree that while the exploit is severe, it may not be as widespread as the media and some "experts" say it is. For example, the default shell on dd-wrt and openwrt is busybox, as a lot of the supported routers only have 4-16MB of FLASH and 2-64MB of RAM. While bash is available as an installable package for embedded routers, it's not used extensively, and isn't installed as /bin/sh, so things that shell out like udhcpc won't touch it.Pathttps://www.blogger.com/profile/17669868183687383382noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-39539728702712858352014-09-26T08:41:34.859-04:002014-09-26T08:41:34.859-04:00I have created a Public Domain svg shellshock logo...I have created a Public Domain svg shellshock logo:<br /><a href="http://www.tannerbrockwell.com/shellshock/" rel="nofollow">Shellshock Logo SVG</a> courtesy of Tanner BrockwellTanner Brockwellhttps://www.blogger.com/profile/16863231022541806489noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-69956181429313744412014-09-25T17:06:52.167-04:002014-09-25T17:06:52.167-04:00I’m completely with Unknown and 古明地さとり.
Also, why...I’m completely with Unknown and 古明地さとり.<br /><br />Also, why is nobody panicking about the ability to override builtins and /bin tools by passing functions of the same names in environment variables? Merely because it’s harder to exploit?Chortos-2https://www.blogger.com/profile/13231301478432517619noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-14421409387130313202014-09-25T15:51:08.062-04:002014-09-25T15:51:08.062-04:00Sergey, thanks, that makes sense. However, causing...Sergey, thanks, that makes sense. However, causing an environment variable to contain a malicious script is not enough. Something has to spawn a bash process. Cgi-bin can cause that, but who uses that these days?<br />Any other ideas of spawning bash processing in remote services like Apache?<br />~MikeUnknownhttps://www.blogger.com/profile/14669654147218335104noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-62543288374972006582014-09-25T15:41:40.892-04:002014-09-25T15:41:40.892-04:00não entendi nadinha......não entendi nadinha......Anonymoushttps://www.blogger.com/profile/09533691903605074467noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-90163091764184028242014-09-25T15:00:24.549-04:002014-09-25T15:00:24.549-04:00Apparently, the stuff like user-agent, context typ...Apparently, the stuff like user-agent, context type, or some other stuff usually sent in headers is provided to CGI scripts (e.g.: bash) using environment variables. So, in order to run arbitrary command, all you need to do is send a slightly mangled user agent string. So, yes, this is pretty exploitableAnonymoushttps://www.blogger.com/profile/14203877421874433567noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-40122926032734464922014-09-25T14:48:49.735-04:002014-09-25T14:48:49.735-04:00So even patched to latest 4.3.25, even though test...So even patched to latest 4.3.25, even though test 1 no longer shows the bug, test 2 still fails.<br /><br />So, it seems that there exists no full fix for this bug up till now.<br />Unknownhttps://www.blogger.com/profile/14669654147218335104noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-86957627039643701372014-09-25T14:22:24.956-04:002014-09-25T14:22:24.956-04:00Check out https://shellshocker.net/ for an online ...Check out https://shellshocker.net/ for an online vulnerability tester and also a guide to fix your system.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-90163503992694380722014-09-25T14:18:06.382-04:002014-09-25T14:18:06.382-04:00PANIC!!PANIC!!Paulhttps://www.blogger.com/profile/06803224792653181148noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-43426362387575563962014-09-25T11:59:29.792-04:002014-09-25T11:59:29.792-04:00Please correct me if I'm not understanding thi...Please correct me if I'm not understanding this properly. Everyone is going OMG OMG OMG I has bash on my system, therefore any hacker can suddenly do anything on any Linux computer that's out there, including my desktop, android phone, and any VPS Linux hosting servers I have....<br /><br />In order for this to be exploited, all of the following must happen:<br /><br />1) expose a service on the internet<br />2) that service has a feature where a parameter or argument that originates from the user side, is placed in an environment variable, intended to be used by bash.<br />3) that service spawns bash to perform some task<br /><br />And less likely, the other way around. Where you run client side software that has a feature that spawns bash to perform a task, where the server side gets to decide on something that ends up in an environment variable on the client side.<br /><br />So. This means that a hacker just accessing a webpage is not going to be able to use this security hole.<br />A CGI script is an obvious risk, but who uses that anymore? To feed dynamic content, much more often are things like php and Java using JSP and things like that. Neither of those ends up using bash, and even if it did, there is no way to influence an environment variable.<br /><br />Then there is talk about "but you have telnet on your system, therefore you're screwed". Ok, I have telnet. So now what. A hacker can invoke my telnet app? No. I'm going to telnet into a malicious server?<br />Ok, so, I might use telnet to debug a remote html server. telnet google.ca 80. And then type "GET /" enter enter. Even if Google tried, could they inject something causing bash to run something for them? Noway.<br /><br />Yes, this bug is big, I'm sure. But it seems to be that the stars kind of have to line up, for a hacker to do anything with it. Anything that spawns bash where an environment variable is used to store an argument...<br /><br />That's it isn't it?<br /><br />And I'd love to patch it, but my Ubuntu 13.10 box, upgrade bash only got bash to version 4.2.45<br />A remote server is using Ubuntu 9.10. apt-get doesn't appear to work anymore on that one.<br />So now what. Compile a patched bash executable from source? Probably would be dependency hell, to get it to compile.<br /><br />So, am I panicking too much, or too little here?Unknownhttps://www.blogger.com/profile/14669654147218335104noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-3374223217020339202014-09-25T10:11:46.289-04:002014-09-25T10:11:46.289-04:00sudo apt-get install --only-upgrade bash
source:h...sudo apt-get install --only-upgrade bash<br /><br />source:http://www.linuxnews.pro/patch-bash-shell-shock-centos-ubuntu/Anonymoushttps://www.blogger.com/profile/00867060090951730211noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-88695281857185907042014-09-25T05:25:48.793-04:002014-09-25T05:25:48.793-04:00I'm still unsure how are any embedded devices ...I'm still unsure how are any embedded devices (routers among them) vulnerable to this particular CVE.<br /><br />Can you please point me at router firmware (or custom router firmware) that actually uses bash, the latter being one of the slowest and resource-hogging shells? Almost all Linux-based routers run Busybox, which implements its own tiny shell.<br /><br />This also does not affect the majority of *NIX/BSD servers as those usually don't have bash (besides possible personal user shells, and those that host CGI scripts that specifically use #!/usr/bin/bash instead of #!/bin/sh; /bin/sh is never bash in this case). Same can be said about Ubuntu which uses dash as its /bin/sh replacement. As in, the vulnerability can be exploited on these systems, but only locally (and probably only if there are setuid bash scripts, otherwise all you get is run some code with your own effective UID/GID).Xiatianhttps://www.blogger.com/profile/00802434282819313866noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-63657276045138961162014-09-24T20:17:03.410-04:002014-09-24T20:17:03.410-04:00shellshock
http://i.imgur.com/h4wSK8f.pngshellshock<br />http://i.imgur.com/h4wSK8f.pngnummyhttps://www.blogger.com/profile/06077592361697288005noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-29358330680631462492014-09-24T18:48:36.322-04:002014-09-24T18:48:36.322-04:00Thank you for a down to earth summary, rather than...Thank you for a down to earth summary, rather than the rhetoric driving clicks. Very much appreciated.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-19353610905276193002014-09-24T16:43:09.796-04:002014-09-24T16:43:09.796-04:00Never mind my previous comment, I've done some...Never mind my previous comment, I've done some further research... seems a bit shocking that some server processes will take untrusted input provided by the user and stick it into a bash environment variable. Or is that just my ignorance of web server processes talking?Thomas Reedhttps://www.blogger.com/profile/08018928259482619470noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-855610115287473252014-09-24T15:45:34.664-04:002014-09-24T15:45:34.664-04:00This comment has been removed by the author.Thomas Reedhttps://www.blogger.com/profile/08018928259482619470noreply@blogger.com