[plug] Bash vulnerability
Brad Campbell
brad at fnarfbargle.com
Fri Sep 26 05:08:20 UTC 2014
On 25/09/14 11:00, Brad Campbell wrote:
> So I did the right thing and went and ensured all our servers were
> appropriately patched, however I individually tested each one first.
>
> We are running various version of Debian and Ubuntu with some VM's
> dating back to Debian 5 and Ubuntu 10.04LTS all the way to current for
> both. None of these had a version of bash that responded at all to the
> test exploit being posted around. How odd.
>
> My western digital mybook is vulnerable however.
Ok, so that is solved.
I used this line from an article at Theregister.co.uk :
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
Anyone see the obvious problem with it when used on Debian systems?
That's right Freddie, Debian has /bin/bash and /bin/sh and they are
different interpreters. On my systems /bin/sh points to dash.
Changing that to :
env X="() { :;} ; echo busted" /bin/bash -c "echo stuff"
shows my remaining unpatched systems are vulnerable.
I'll put the brown paper bag on now.
More information about the plug
mailing list