On Sat, Sep 27, 2014 at 11:38 AM, Volker Kuhlmann list0...@paradise.net.nz
wrote:
Anything your router exposes to the Internet is a valid attack surface.
You are at the whim of the router's firmware, too often proven to be
insecure and non-patchable (vendors don't give a toss). Just because
On Fri, 2014-09-26 at 10:01 +1200, Derek Smithies wrote:
Chris,
thankyou for stating what can be achieved with minimal effort..
So - is my ADSL box exploitable - which has linux inside it?
presumably not - my ADSL box refuses html and ssh login access from
the wild.
Won't your ADSL
Another gotcha to note, which I've picked up from this one because I
look after a lot of cloud stuff these days..
Rackspace repo mirrors are lagging behind, AWS ones are OK for Centos
and RH and Debian but Ubuntu not so much. linode were quick with the
first one but this latest is not there
Hi,
thanks Chris for the explanation. That does help.
Cheers,
Derek.
On 26/09/14 10:36, Chris Hellyar wrote:
Per what Steve said... Bash would be pretty uncommon on embedded
devices, they tend to use busybox.
The current published/known exploit/vector from this is via apache,
with cgi
On Fri 26 Sep 2014 10:01:52 NZST +1200, Derek Smithies wrote:
So - is my ADSL box exploitable - which has linux inside it?
presumably not - my ADSL box refuses html and ssh login access
from the wild.
Oops. Presumably yes.
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
Robert
Jim,
You have me here.
You wrote::
Beware of rogue DHCP responses on your local networks, too - most Linux
runs the shell as part of dhclient.
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
The proof of concept above seems a little strange. The person running
On 26/09/14 11:22, Steve Holdoway wrote:
so... a2dismod cgi on your deb/ubuntu boxes with apache, and whatever
the equiv. is on RH, can't think of it for the mo.. That will fix that
vector.
Or just upgrade to nginx...
well, there is that... :-)
I was a bit resistant but I'm warming to it.
On Fri, 2014-09-26 at 11:53 +1200, Chris Hellyar wrote:
On 26/09/14 11:22, Steve Holdoway wrote:
so... a2dismod cgi on your deb/ubuntu boxes with apache, and whatever
the equiv. is on RH, can't think of it for the mo.. That will fix that
vector.
Or just upgrade to nginx...
well,
On 26 September 2014 12:06, Chris Hellyar ch...@trash.co.nz wrote:
While I don't disagree with the statement that any execution environment
can be used to get the result from the flawed version of bash, the remote
exploit is via apache/cgi at this stage and exploiting it via
php/pearl/python
(Sorry long post. :-)
Hmmm,
You're not wrong, but polluting the environment before the webserver
starts or after it's running is a different proposition from injecting
into the environment in a single pass with predictable results. What
makes the cgi vs shellshock exploit viable is that that
10 matches
Mail list logo
