Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-28 Thread Eli Billauer
Thanks Guy. I'll definitely try one of those test scripts. As for asking a random site to check this for me -- I'm not sure it's a good idea. I mean, I don't know who has set up this site and what their intentions are... Regards, Eli On 27/09/14 22:42, Guy Edri wrote: Hey Eli. http://ww

Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-27 Thread Guy Edri
Hey Eli. http://www.tripwire.com/state-of-security/off-topic/shell-shocked-bash-bug-detection-tools-cve-2014-6271/ http://shellshocktest.com/ https://github.com/mubix/shellshocker-pocs enjoy your PT with all those tools. On Sat, Sep 27, 2014 at 11:37 AM, boazg wrote: > try it with DHCP inste

Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-27 Thread boazg
try it with DHCP instead https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ On Sat, Sep 27, 2014 at 11:36 AM, boazg wrote: > you need to find a vulnerable site. CGI doesn't have to pass through bash. > you need a site that opens a subshell for something. they aren't unc

Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-27 Thread boazg
you need to find a vulnerable site. CGI doesn't have to pass through bash. you need a site that opens a subshell for something. they aren't uncommon, but it's not every linux-CGI site. On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer wrote: > Hi, > > I did > > # yum upgrade bash > > on Haifux' serv

Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-26 Thread Eli Billauer
Hi, I did # yum upgrade bash on Haifux' server, and it's off the hook. But I was also surprised that it the attack failed even before that. Eli On 26/09/14 12:39, guy keren wrote: On 09/26/2014 12:30 PM, Eli Billauer wrote: env x='() { :;}; echo vulnerable' bash -c 'echo This is a test

Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-26 Thread Shachar Raindel
On Sep 26, 2014 12:49 PM, "guy keren" wrote: > > On 09/26/2014 12:30 PM, Eli Billauer wrote: >> >> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' > > > you're too late - there's a (partial?) fix being distributed around... > For your moment of optimism: http://istheinternetonfir

Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-26 Thread guy keren
On 09/26/2014 12:30 PM, Eli Billauer wrote: env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' you're too late - there's a (partial?) fix being distributed around... --guy ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailm

[Haifux] The Bash vulnerability (shellshock)

2014-09-26 Thread Eli Billauer
Hi everyone, Happy new year! To make it even merrier, it seems like a rather widespread vulnerability, based upon a bug in Bash (!) has been discovered: http://www.engadget.com/2014/09/25/what-is-the-shellshock/ Or for short, type this on your bash console and see if you're cooked: env x='()