Bash Bug...

Keyzer

My Twitter feed went nuts last night about this.

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

I ran the test on my own MacBook Pro (2013 model) and it failed.

I'm trying to find more info on how exactly this vulnerability can be exploited.

timmywex

Keyzer wrote: »

My Twitter feed went nuts last night about this.

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

I ran the test on my own MacBook Pro (2013 model) and it failed.

I'm trying to find more info on how exactly this vulnerability can be exploited.

It should be a high priority fix across any systems in organisations as it is fairly serious.

Bit more information here and a way to test https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Exploit code available and a metasploit module released for it already

Talk that its as big or bigger than Heartbleed due to the sheer volume of systems...

Kinet1c

My own 14.04 install failed too, was up to date as of last week. Ran an update and it's not vulnerable now. Would be interested in the application of the vulnerability too.

pedro1234

I exploited this yesterday using the HTTP vector.
You need:
1. a webserver with bash installed
2. a cgi script which which calls a bash script (my bash script just echoed some nonsense)
3. Update your user agent to: () { ignored; }; /bin/echo 'derp' > /tmp/derp
4. Make a web request to the cgi and /tmp/derp is created on the web server.

There's plenty of other more serious vectors though, the most serious being DHCP.

syklops

Watch attempts to exploit this on your webservers in real time:


tcpdump -s0 -w - -i eth0 port 80 |strings|egrep '\(\).*\{.*:;.*\}'


You may need to change eth0 to em1 if you have a new system.

pedro1234

syklops wrote: »

Watch attempts to exploit this on your webservers in real time:


tcpdump -s0 -w - -i eth0 port 80 |strings|egrep '\(\).*\{.*:;.*\}'


You may need to change eth0 to em1 if you have a new system.

Should really watch all ports... Port 80 is only one attack vector.

syklops

pedro1234 wrote: »

Should really watch all ports... Port 80 is only one attack vector.

Well hopefully by now everyone is patched or the risk has been mitigated somehow. I posted that more for the fun of watching people trying to exploit you.

dublinman1990

Hiya folks.

I just read on the Mirror website that the bash bug is vulnerable to personal devices in your home such as a set-top box, Smart TV, internet connected smart light bulbs and door locks and internet routers.

http://www.mirror.co.uk/news/technology-science/technology/shellshock-bug-your-computer-one-4321560

Say if you have a set top box or Smart TV that is running linux software at home, which ones would be affected by this nasty security bug?

Rucking_Fetard

Another POS sh1tbox full of holes bit of software that's been ported all over the place for a quarter of a century that nobody bothered to look at.

syklops

dublinman1990 wrote: »

Hiya folks.

I just read on the Mirror website that the bash bug is vulnerable to personal devices in your home such as a set-top box, Smart TV, internet connected smart light bulbs and door locks and internet routers.

http://www.mirror.co.uk/news/technology-science/technology/shellshock-bug-your-computer-one-4321560

Say if you have a set top box or Smart TV that is running linux software at home, which ones would be affected by this nasty security bug?

Anything running linux, assume its vulnerable. However because of the way internet is shared by your router it __should__ block any direct access to your devices from the internet.

However, if your router is linux based as well. Well.... There are already worms in the wild. Consumer-router targetting ones wont be far behind.

Rucking_Fetard

Everything you need to know about the Shellshock Bash bug

And for the early patchers, keep an eye out for another patch.

A number of Linux distributions have already issued patches for the flaw, but Insomnia security researcher Adam Boileau warned they may not be complete.

“It looks like the patch does not fix every case of environment variables being used to pass on executable code. We are still testing the patch, and hope to have more information on it soon,” Boileau said.

A number of other security experts highlighted the incomplete nature of the fix on the Red Hat Bugzilla page.

Apple was yet to issue a patch at the time of writing. iTnews found Bash 3.2 in Apple OS X 10.9.5 was vulnerable to Shellshock

Shellshock is rated as 10 out of 10 or the highest possible severity rating by the United States National Vulnerability Database. Furthermore, NVD rated Shellshock as a 10 on the scale when it comes to both impact and exploitability.

Rucking_Fetard

Rucking_Fetard wrote: »

Another POS sh1tbox full of holes bit of software that's been ported all over the place for a quarter of a century that nobody bothered to look at.

Many eyes theory conclusively disproven

Just because a bug was found in open-source does not disprove the "many eyes" theory. Instead, it's bugs being found now that should've been found sometime in the last 25 years.

Many eyes are obviously looking at bash now, and they are finding fairly obvious problems. It's obvious that the parsing code in bash is deeply flawed, though any particular bug isn't so obvious. If many eyes had been looking at bash over the past 25 years, these bugs would've been found a long time ago.

Thus, we know that "many eyes" haven't been looking at bash.

Rucking_Fetard

http://www.wired.com/2014/09/shellshocked-bash/

pedro1234

Rucking_Fetard wrote: »

http://www.wired.com/2014/09/shellshocked-bash/

That's an awful article. The headline has no bearing on the story.

Keyzer

Apple posted an update yesterday on this. We communicated to our Mac end users accordingly.

No negative reports from any users yet, however, e-mail is generally ignored in my place of work so hard to know if anyone actioned.

See below for link, don't blame me if it blows your mac up.

http://support.apple.com/kb/DL1769

Rucking_Fetard

pedro1234 wrote: »

That's an awful article. The headline has no bearing on the story.

Good story + who cares what the headline is + they are linked anyway.

Here's storys you should complain about.