Hi,
thanks Chris for the explanation. That does help.
Cheers,
Derek.
On 26/09/14 10:36, Chris Hellyar wrote:
Per what Steve said... Bash would be pretty uncommon on embedded
devices, they tend to use busybox.
The current published/known exploit/vector from this is via apache,
with cgi enabled and a cgi script using bash as it's interpreter.
so... a2dismod cgi on your deb/ubuntu boxes with apache, and whatever
the equiv. is on RH, can't think of it for the mo.. That will fix
that vector.
Or just not having any CGI scripts that use bash of course. (easier
said than done if you run one of the hosting console tools like plesk
etc per the other comments yesterday.
At this stage there doesn't appear to be another vector and it's
useless as a local exploit anyway as it doesn't give you privilege
escalation which is what you're looking for if you've already got
access to a machine.
What it does do is allow you to remotely force the download of an
arbitrary binary / script which can then have it's merry way with your
box. There is chat on one of the darker shaded IRC channels about
delivering the spike ddos toolkit via shellshock, which if you were of
that persuasion might not be a had way to go.
Cheers, Chris H.
On 26/09/14 10:01, Derek Smithies wrote:
Chris,
thankyou for stating what can be achieved with minimal effort..
So - is my ADSL box exploitable - which has linux inside it?
presumably not - my ADSL box refuses html and ssh login access
from the wild.
Yes - it might be, if someone inside my network does html access to
the box and somehow gets to a shell with some buffer overrun attack.
So - does this mean that any web server (which is subject to buffer
overrun attacks) that eventually leads to shell access is vulnerable?
However, in these days of better code/ standard string types that
don't have overrun issues/ python servers/ how much is overrun a
problem?
Noone on this list is involved in hacking to destroy a remote web
server, but we do have an interest in getting our servers secure. So
when
testing a server, what are the things (in the light of this exploit)
that one could do to get into the box? Since one knows how to get in,
one
knows how to secure it.
==================================
My problem is that I read reviews on the net, and wonder
a)how factual it is
b)how much the author is hyping the reports to get a higher page
hit rate and get more dollars from the advertisers
c)how much the author hates unix/linux.
Thanks,
Derek.
On 26/09/14 09:42, Chris Hellyar wrote:
0918 this morning Debian released a patch for the patch. :-)
For those not watching this is great viewing.
It's also quite scary how easy it was to build an exploit for this
one. It took me about 15 minutes last night to build a shell script
that could exploit a bash script on a remote server to download and
execute arbitrary script/executable on the target machine.
The last few major ones it's taken at least a few hours hunting
around for source and preconditioning / setup would normally take
multiple scripts. This one is single script, no set up required.
Cheers, Chris H.
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
--
Sent from my Ubuntu computer
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
