Re: [AFMUG] Bash specially-crafted environment variables codeinjection attack

[Josh Reynolds via Af]

Honestly if I was going to exploit this attack vector to the fullest, 
the very first thing I would do is exploit a local machine with malware 
via email or malicious web app... thenuse said computer to nmap all 
RFC1918 space andthat datacollection to run various "shellshock" against 
potential vulnerable machines/services.

Always patch your systems.
Josh Reynolds, Chief Information Officer
SPITwSPOTS, www.spitwspots.com <http://www.spitwspots.com>

On 09/28/2014 12:24 PM, That One Guy via Af wrote:
so if its a dns server with only dns open on the external firewall, 
but is running a management interface for internal management, is it 
vulnerable eaxternally since the only inbound access are DNS ports and 
im assuming apche doesnt defaultly listen on those ports

On Sun, Sep 28, 2014 at 1:13 PM, Josh Reynolds via Af <af@afmug.com 
<mailto:af@afmug.com>> wrote:

    If it ONLY does dhcp/dns/ntp,that's fine.

    If it also has a base apache install, it's likely vulnerable :)

    Josh Reynolds, Chief Information Officer
    SPITwSPOTS, www.spitwspots.com <http://www.spitwspots.com>

    On 09/28/2014 06:38 AM, Ken Hohhof via Af wrote:
    Why?
    Take the case of a dedicated server that only does let’s say DHCP
    or DNS or NTP.  It only has one port open to the Internet, and
    there’s no way to get to a bash shell via that port.  How the
    hell is someone going to pass an environment variable to a bash
    shell on that server?
    *From:* Shayne Lebrun via Af <mailto:af@afmug.com>
    *Sent:* Sunday, September 28, 2014 8:40 AM
    *To:* af@afmug.com <mailto:af@afmug.com>
    *Subject:* Re: [AFMUG] Bash specially-crafted environment
    variables codeinjection attack

    ØI think the articles have maybe overstated the risk a bit, since
    you would need to either authenticate (at least as a regular
    user) to get to a shell, or find a publicly exposed script that
    will pass an environment variable to bash for you.

    Please don’t think like this.

    *From:*Af [mailto:af-bounces+slebrun=muskoka....@afmug.com] *On
    Behalf Of *Ken Hohhof via Af
    *Sent:* Saturday, September 27, 2014 1:38 PM
    *To:* af@afmug.com <mailto:af@afmug.com>
    *Subject:* Re: [AFMUG] Bash specially-crafted environment
    variables code injection attack

    So maybe I won’t do that.

    The newer servers where I could just do a yum update have been
    straightforward, as you’d expect.

    I think the articles have maybe overstated the risk a bit, since
    you would need to either authenticate (at least as a regular
    user) to get to a shell, or find a publicly exposed script that
    will pass an environment variable to bash for you.

    *From:*Jeremy via Af <mailto:af@afmug.com>

    *Sent:*Saturday, September 27, 2014 12:13 PM

    *To:*af@afmug.com <mailto:af@afmug.com>

    *Subject:*Re: [AFMUG] Bash specially-crafted environment
    variables code injection attack

    Our webserver was vulnerable.  Tried to fix it without backing it
    up first....yeah, I know.  Lost it all.  So I guess I will be
    building a new website from my 2013 backup this weekend.  It's a
    good thing I carpet bombed my website to prevent anyone from
    messing with it!

    On Sat, Sep 27, 2014 at 10:25 AM, Ken Hohhof via Af <af@afmug.com
    <mailto:af@afmug.com>> wrote:

    Unfortunately I have a couple old servers running RHEL4 and one
    old BlueQuartz webhosting appliance based on CentOS4.  I’m a
    little reluctant to try compiling the patch myself unless I
    switch to a difference shell first, if I screw up my command
    shell it might be difficult to fix.

    Any guess if I’d be safe using the RPM cited in this thread:

    
http://serverfault.com/questions/631055/how-do-i-patch-rhel-4-for-the-bash-vulnerabilities-in-cve-2014-6271-and-cve-2014

    the RPM it points to is:

    
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.2.el4.i386.rpm

    *From:*Ty Featherling via Af <mailto:af@afmug.com>

    *Sent:*Saturday, September 27, 2014 10:52 AM

    *To:*af@afmug.com <mailto:af@afmug.com>

    *Subject:*Re: [AFMUG] Bash specially-crafted environment
    variables code injection attack

    Yeah probably the NSA! Hahaha!

    -Ty

    On Sep 26, 2014 10:36 PM, "That One Guy via Af" <af@afmug.com
    <mailto:af@afmug.com>> wrote:

    Man I bet theres some guy whose been exploiting this for 20 years
    who is pissed right now

    On Fri, Sep 26, 2014 at 1:54 PM, Ty Featherling via Af
    <af@afmug.com <mailto:af@afmug.com>> wrote:

    CentOS on some, Ubuntu on others. Already got the answers in this
    thread though, thanks.

    -Ty

    On Fri, Sep 26, 2014 at 11:54 AM, Mike Hammett via Af
    <af@afmug.com <mailto:af@afmug.com>> wrote:

    Which distribution?



    -----
    Mike Hammett
    Intelligent Computing Solutions
    http://www.ics-il.com

    ------------------------------------------------------------------------

    *From: *"Ty Featherling via Af" <af@afmug.com <mailto:af@afmug.com>>
    *To: *af@afmug.com <mailto:af@afmug.com>
    *Sent: *Thursday, September 25, 2014 2:42:31 PM
    *Subject: *Re: [AFMUG] Bash specially-crafted environment
    variables code injection attack

    Noob question but how can I easiest update my linux boxes to get
    the latest patches?

    -Ty

    On Thu, Sep 25, 2014 at 1:59 PM, Josh Reynolds via Af
    <af@afmug.com <mailto:af@afmug.com>> wrote:

    Upgraded our systems at 6am yesterday for this. Also pulled the
    bash .deb out of debian-stable/security for our ubiquiti
    edgerouters. (I made on a post on the UBNT forum with the CVE
    info yesterday.)

    Side note: TONS of things are affected by this...

    Josh Reynolds, Chief Information Officer
    SPITwSPOTS, www.spitwspots.com <http://www.spitwspots.com>

    On 09/25/2014 10:25 AM, Peter Kranz via Af wrote:

        PS.. This vulnerability can be exploited via HTTP/Apache attack 
vectors, so you need to patch any vulnerable system running Apache.

          

        Peter Kranz

        Founder/CEO - Unwired Ltd

        www.UnwiredLtd.com  <http://www.UnwiredLtd.com>

        Desk:510-868-1614 x100  <tel:510-868-1614%20x100>

        Mobile:510-207-0000  <tel:510-207-0000>

        pkr...@unwiredltd.com  <mailto:pkr...@unwiredltd.com>

          

        -----Original Message-----

        From: Af [mailto:af-bounces+pkranz=unwiredltd....@afmug.com] On Behalf 
Of Matt via Af

        Sent: Thursday, September 25, 2014 10:27 AM

        To:af@afmug.com  <mailto:af@afmug.com>

        Subject: [AFMUG] Bash specially-crafted environment variables code 
injection attack

          

        Bash specially-crafted environment variables code injection attack

          

        
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

          



    -- 

    All parts should go together without forcing. You must remember
    that the parts you are reassembling were disassembled by you.
    Therefore, if you can't get them together again, there must be a
    reason. By all means, do not use a hammer. -- IBM maintenance
    manual, 1925





--
All parts should go together without forcing. You must remember that 
the parts you are reassembling were disassembled by you. Therefore, if 
you can't get them together again, there must be a reason. By all 
means, do not use a hammer. -- IBM maintenance manual, 1925