Re: [dns-operations] ShellShock exploit through the DNS

* P. Vixie: > On October 18, 2014 4:06:07 PM EDT, Florian Weimer wrote: > >>Red Hat Enterprise Linux does not have this vector. It uses the >>regular glibc resolver, which is based on the old BIND stub resolver, >>and this code has both escaping from wire format to the textual >>representation (

Re: [dns-operations] ShellShock exploit through the DNS

On October 18, 2014 4:06:07 PM EDT, Florian Weimer wrote: >Red Hat Enterprise Linux does not have this vector. It uses the >regular glibc resolver, which is based on the old BIND stub resolver, >and this code has both escaping from wire format to the textual >representation (which destroys the

Re: [dns-operations] ShellShock exploit through the DNS

* Paul Vixie: > # > Tony Finch > Tuesday, October 14, 2014 5:31 AM > > A CGI script invoked by Apache httpd with HostnameLookups On > (the default is Off, a safer setting is Double) > > thanks, that makes sense. the security advisory posted here did not > mention any real world

Re: [dns-operations] ShellShock exploit through the DNS

On 10/14/14 1:17 PM, Mark Andrews wrote: Did /bin/sh in System 5 eval it's environment variables? No. Bash *added* the feature to the OS. Right, that's what I was talking about. Sorry I wasn't clear. ___ dns-operations mailing list dns-operations@l

Re: [dns-operations] ShellShock exploit through the DNS

In message <543d4162.8000...@dougbarton.us>, Doug Barton writes: > On 10/14/14 6:41 AM, Paul Vixie wrote: > > apparently the apache team believed as i did that no shell would ever > > eval() its environment variables no matter with or without input > > checking. the bash team really violated the p

Re: [dns-operations] ShellShock exploit through the DNS

Jim Reid (jim) writes: > > > > Apple and redhat err'd in using bash to implement the /bin/sh interface. > > They should switch to ash like BSD or to the dash derivative of ash like > > Debian. > > ?? > wallace% uname -a > Darwin wallace.rfc1035.com 13.4.0 Darwin Kernel Version 13.4.0: Sun Aug 1

Re: [dns-operations] ShellShock exploit through the DNS

-Original Message- From: Jim Reid Date: Tuesday, October 14, 2014 at 1:53 PM To: Paul Vixie Cc: "dns-operati...@dns-oarc.net" Subject: Re: [dns-operations] ShellShock exploit through the DNS >On 14 Oct 2014, at 12:46, P Vixie wrote: > >>> As "/bin/sh&

Re: [dns-operations] ShellShock exploit through the DNS

On 14 Oct 2014, at 12:46, P Vixie wrote: >> As "/bin/sh" is almost always a symlink to "/bin/bash", and many O/S >> scripts assume this to be the case (i.e. use bash specific features, >> without declaring "#!/bin/bash"), so simply making "/bin/sh" a link to >> (say) "/bin/ash" is probably not

Re: [dns-operations] ShellShock exploit through the DNS

The best article I have seen on the topic is by David A Wheeler (linked below). Section 2 on design approaches that would have avoided the bug is particularly good, and is not specific to unix shells. (Though it would be a great exaggeration to say it has much to do with DNS operations.) http://ww

Re: [dns-operations] ShellShock exploit through the DNS

On 10/14/14 6:41 AM, Paul Vixie wrote: apparently the apache team believed as i did that no shell would ever eval() its environment variables no matter with or without input checking. the bash team really violated the principle of least astonishment with function inheritance. Given the number o

Re: [dns-operations] ShellShock exploit through the DNS

+1 On 14/10/14 14:41, Paul Vixie wrote: the bash team really violated the principle of least astonishment with function inheritance. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-oper

Re: [dns-operations] ShellShock exploit through the DNS

> Tony Finch > Tuesday, October 14, 2014 5:31 AM > > A CGI script invoked by Apache httpd with HostnameLookups On > (the default is Off, a safer setting is Double) thanks, that makes sense. the security advisory posted here did not mention any real world examples. i agree t

Re: [dns-operations] ShellShock exploit through the DNS

P Vixie wrote: > > Who does this? Where, in the actual world, is code deployed that does > what this supposed PoC does? A CGI script invoked by Apache httpd with HostnameLookups On (the default is Off, a safer setting is Double) Tony. -- f.anthony.n.finchhttp://dotat.at/ Trafalgar: Cyclonic

Re: [dns-operations] ShellShock exploit through the DNS

On October 14, 2014 1:01:02 AM PDT, Simon Munton wrote: >(Sorry, this is not strictly DNS, but I would guess that this is the >cause of this shell-shock vector). > >When looking at the code for libc I was most disappointed to see that >"/bin/sh" is hard coded for both "popen()" and "system()"

Re: [dns-operations] ShellShock exploit through the DNS

This seems bogus to me. assert(0==getnameinfo((struct sockaddr *)&sa, sizeof sa, host, sizeof host, NULL, 0, NI_NAMEREQD)); printf("Lookup result: %s\n\n", host); assert(setenv("REMOTE_HOST",host,1) == 0); execl("/bin/bash",NULL); Who does this? Where, in the actual world, is code deployed tha

Re: [dns-operations] ShellShock exploit through the DNS

As "/bin/sh" is almost always a symlink to "/bin/bash", No. It is not the case for FreeBSD, Debian, NetBSD, ArchLinux... On the archive Debian 5.0 system we have it is, & RH 5.11 On Ubuntu its linked to dash. ___ dns-operations mailing list dns-oper

Re: [dns-operations] ShellShock exploit through the DNS

On Tue, Oct 14, 2014 at 09:01:02AM +0100, Simon Munton wrote a message of 38 lines which said: > As "/bin/sh" is almost always a symlink to "/bin/bash", No. It is not the case for FreeBSD, Debian, NetBSD, ArchLinux... > assume this to be the case (i.e. use bash specific features, without >

Re: [dns-operations] ShellShock exploit through the DNS

(Sorry, this is not strictly DNS, but I would guess that this is the cause of this shell-shock vector). When looking at the code for libc I was most disappointed to see that "/bin/sh" is hard coded for both "popen()" and "system()" Where as I had previously assumed that the environment variab

[dns-operations] ShellShock exploit through the DNS

Funny: an OS sends the result of some DNS queries to bash, allowing the DNS operator to attack DNS clients with ShellShock: http://packetstormsecurity.com/files/128650 What about an evil AS 112 operator attacking 168.192.in-addr.arpa users? ___ dns-oper