[plug] Bash vulnerability
Jason Nicholls
jason at mindsocket.com.au
Fri Sep 26 06:12:53 UTC 2014
Is there some reason people aren't doing automatic security updates? RHEL
and Ubuntu already released updates and all my systems fixed themselves.
I've also gone in to verify and it seems to be good.
I also did some testing through the product I work on which is based on
Tomcat. We don't use CGI and it's disabled by default but some of our
customers turn it on. So I enabled it, wrote a trivial shell script and
found I was able to exploit it on a vulnerable system. Now that's pretty
scary!
On Fri, Sep 26, 2014 at 1:36 PM, Chris Hoy Poy <chris at hoypoy.id.au> wrote:
>
> http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx?eid=3&edate=20140926&utm_source=20140926_PM&utm_medium=newsletter&utm_campaign=daily_newsletter
>
>
> ------------------------------
> *From: *"BillK" <billk at iinet.net.au>
> *To: *plug at plug.org.au
> *Sent: *Friday, 26 September, 2014 1:33:20 PM
> *Subject: *Re: [plug] Bash vulnerability
>
>
> Gentoo listed an advisory yesterday so I updated the bulk of machines and
> vm's. This morniing they reissued it with another version as it didn't
> properly fix the problem ... Have to do it all over again tonight :(
>
> Have not heard of an exploit in the wild yet ...
>
> On 26 September 2014 1:08:20 pm AWST, Brad Campbell <brad at fnarfbargle.com>
> wrote:
>>
>> On 25/09/14 11:00, Brad Campbell wrote:
>>
>>> So I did the right thing and went and ensured all our servers were
>>> appropriately patched, however I individually tested each one first.
>>>
>>> We are running various version of Debian and Ubuntu with some VM's
>>> dating back to Debian 5 and Ubuntu 10.04LTS all the way to current for
>>> both. None of these had a version of bash that responded at all to the
>>> test exploit being posted around. How odd.
>>>
>>> My western digital mybook is vulnerable however.
>>>
>>
>> Ok, so that is solved.
>> I used this line from an article at Theregister.co.uk :
>>
>> env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
>>
>> Anyone see the obvious problem with it when used on Debian systems?
>> That's right Freddie, Debian
>> has /bin/bash and /bin/sh and they are
>> different interpreters. On my systems /bin/sh points to dash.
>>
>> Changing that to :
>>
>> env X="() { :;} ; echo busted" /bin/bash -c "echo stuff"
>>
>> shows my remaining unpatched systems are vulnerable.
>>
>> I'll put the brown paper bag on now.
>>
>> ------------------------------
>>
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>>
>>
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
--
Jason Nicholls
jason at mindsocket.com.au
0430 314 857
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20140926/2978d3c3/attachment.html>
More information about the plug
mailing list