Chris,
thankyou for stating what can be achieved with minimal effort..
So - is my ADSL box exploitable - which has linux inside it?
presumably not - my ADSL box refuses html and ssh login access from
the wild.
Yes - it might be, if someone inside my network does html access to
the box and somehow gets to a shell with some buffer overrun attack.
So - does this mean that any web server (which is subject to buffer
overrun attacks) that eventually leads to shell access is vulnerable?
However, in these days of better code/ standard string types that
don't have overrun issues/ python servers/ how much is overrun a problem?
Noone on this list is involved in hacking to destroy a remote web
server, but we do have an interest in getting our servers secure. So when
testing a server, what are the things (in the light of this exploit)
that one could do to get into the box? Since one knows how to get in, one
knows how to secure it.
==================================
My problem is that I read reviews on the net, and wonder
a)how factual it is
b)how much the author is hyping the reports to get a higher page hit
rate and get more dollars from the advertisers
c)how much the author hates unix/linux.
Thanks,
Derek.
On 26/09/14 09:42, Chris Hellyar wrote:
0918 this morning Debian released a patch for the patch. :-)
For those not watching this is great viewing.
It's also quite scary how easy it was to build an exploit for this
one. It took me about 15 minutes last night to build a shell script
that could exploit a bash script on a remote server to download and
execute arbitrary script/executable on the target machine.
The last few major ones it's taken at least a few hours hunting around
for source and preconditioning / setup would normally take multiple
scripts. This one is single script, no set up required.
Cheers, Chris H.
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
--
Sent from my Ubuntu computer
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
