On 9/26/14, 9:13 AM, Paul Hill wrote:
This one is scary:
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
You run a DHCP server. When a DHCP client connects you return
malicious data that Bash uses to run executables (e.g. setting default
routes).
Dang. That DHCP server could be a tiny little RaspberryPI tucked away on
any open ethernet port on anyone's desk in the company. It could respond
to DHCP requests sent out by any device on the network.
Well, at least maybe this could be useful for IT to help identify
devices that need patching, by telling the device to, for example, ping
a specific host or even to halt.
Paul
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
