<div dir="ltr"><div>Is there some reason people aren't doing automatic security updates? RHEL and Ubuntu already released updates and all my systems fixed themselves. I've also gone in to verify and it seems to be good.</div><div><br></div><div>I also did some testing through the product I work on which is based on Tomcat. We don't use CGI and it's disabled by default but some of our customers turn it on. So I enabled it, wrote a trivial shell script and found I was able to exploit it on a vulnerable system. Now that's pretty scary!</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 26, 2014 at 1:36 PM, Chris Hoy Poy <span dir="ltr"><<a href="mailto:chris@hoypoy.id.au" target="_blank">chris@hoypoy.id.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:Arial;font-size:12pt;color:#000000"><div><a href="http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx?eid=3&edate=20140926&utm_source=20140926_PM&utm_medium=newsletter&utm_campaign=daily_newsletter" target="_blank">http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx?eid=3&edate=20140926&utm_source=20140926_PM&utm_medium=newsletter&utm_campaign=daily_newsletter</a></div><div><br></div><div><br></div><hr><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: </b>"BillK" <<a href="mailto:billk@iinet.net.au" target="_blank">billk@iinet.net.au</a>><br><b>To: </b><a href="mailto:plug@plug.org.au" target="_blank">plug@plug.org.au</a><br><b>Sent: </b>Friday, 26 September, 2014 1:33:20 PM<br><b>Subject: </b>Re: [plug] Bash vulnerability<div><div class="h5"><br><div><br></div>Gentoo listed an advisory yesterday so I updated the bulk of machines and vm's. This morniing they reissued it with another version as it didn't properly fix the problem ... Have to do it all over again tonight :(<br>
<br>
Have not heard of an exploit in the wild yet ...<br><div><br></div><div class="gmail_quote">On 26 September 2014 1:08:20 pm AWST, Brad Campbell <<a href="mailto:brad@fnarfbargle.com" target="_blank">brad@fnarfbargle.com</a>> wrote:<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<pre>On 25/09/14 11:00, Brad Campbell wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8ex;border-left:1px solid #729fcf;padding-left:1ex"> So I did the right thing and went and ensured all our servers were<br> appropriately patched, however I individually tested each one first.<br><div><br></div> We are running various version of Debian and Ubuntu with some VM's<br> dating back to Debian 5 and Ubuntu 10.04LTS all the way to current for<br> both. None of these had a version of bash that responded at all to the<br> test exploit being posted around. How odd.<br><div><br></div> My western digital mybook is vulnerable however.<br></blockquote><br>Ok, so that is solved.<br>I used this line from an article at <a href="http://Theregister.co.uk" target="_blank">Theregister.co.uk</a> :<br><div><br></div>env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"<br><div><br></div>Anyone see the obvious problem with it when used on Debian systems?<br>That's right Freddie, Debian
has /bin/bash and /bin/sh and they are <br>different interpreters. On my systems /bin/sh points to dash.<br><div><br></div>Changing that to :<br><div><br></div>env X="() { :;} ; echo busted" /bin/bash -c "echo stuff"<br><div><br></div>shows my remaining unpatched systems are vulnerable.<br><div><br></div>I'll put the brown paper bag on now.<br><div><br></div><hr><br>PLUG discussion list: <a href="mailto:plug@plug.org.au" target="_blank">plug@plug.org.au</a><br><a href="http://lists.plug.org.au/mailman/listinfo/plug" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>Committee e-mail: <a href="mailto:committee@plug.org.au" target="_blank">committee@plug.org.au</a><br>PLUG Membership: <a href="http://www.plug.org.au/membership" target="_blank">http://www.plug.org.au/membership</a><br></pre></blockquote></div><br>
-- <br>
Sent from my Android phone with K-9 Mail. Please excuse my brevity.<br></div></div>_______________________________________________<span class=""><br>PLUG discussion list: <a href="mailto:plug@plug.org.au" target="_blank">plug@plug.org.au</a><br><a href="http://lists.plug.org.au/mailman/listinfo/plug" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>Committee e-mail: <a href="mailto:committee@plug.org.au" target="_blank">committee@plug.org.au</a><br>PLUG Membership: <a href="http://www.plug.org.au/membership" target="_blank">http://www.plug.org.au/membership</a></span></div><div><br></div></div></div><br>_______________________________________________<br>
PLUG discussion list: <a href="mailto:plug@plug.org.au">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
Committee e-mail: <a href="mailto:committee@plug.org.au">committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" target="_blank">http://www.plug.org.au/membership</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Jason Nicholls<br><a href="mailto:jason@mindsocket.com.au" target="_blank">jason@mindsocket.com.au</a><br>0430 314 857<br>
</div>