Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-26 Thread Matt Hazinski
On Thu, Sep 25, 2014 at 02:39:55PM +0200, Philip Cheong wrote: Worse that heartbleed? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ I'm able to get remote code exec

Re: [FD] Critical bash vulnerability CVE-2014-6271 (slightly OT logo discussion)

2014-09-26 Thread Ben Lincoln (F7EFC8C9 - FD)
On 2014-09-25 09:14, Tony Arcieri wrote: On Thu, Sep 25, 2014 at 8:55 AM, Michal Zalewski wrote: In what way? It doesn't have a logo, so it's a bit better in my book. That's where you're wrong: https://pbs.twimg.com/media/ByVh24fCcAAy7mT.png I propose a contest - IMO if Heartbleed got a

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Paul Vixie
> Tim > Thursday, September 25, 2014 5:55 PM > ... > > So dhclient calls /bin/bash explicitly? I didn't look that deeply > into it, but my /bin/sh is dash and nothing breaks, so if it really > does depend on bash, it would need to do that. it's like thi

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Seth Arnold
On Thu, Sep 25, 2014 at 01:54:31PM -0700, Paul Vixie wrote: > no. the problem occurs when /bin/sh is bash, or when a network invokable > script begins with the line #!/bin/bash. it has nothing to do with the > user's shell. rather, it's the shell used by popen() and system() and of > course (execl,

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Paul Vixie
> Seth Arnold > Thursday, September 25, 2014 3:10 PM > > Which systems go through /bin/sh for the exec*() family of functions? i don't have an exhaustive list. my friends at $dayjob told me to use debian, so i am. i see this: http://manpages.debian.org/cgi-bin/

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Paul Vixie
> Tim > Thursday, September 25, 2014 1:06 PM > > > If you change the default shell from bash to a more sane one[1], like > dash or ash, does this attack disappear? no. the problem occurs when /bin/sh is bash, or when a network invokable script begins wit

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Tim
> dhcpcd is vulnerable. > > root@blackarch ~ # dhcpcd -4 eth0 > dhcpcd[413]: version 5.6.8 starting > dhcpcd[413]: eth0: rebinding lease of 192.168.1.2 > dhcpcd[413]: eth0: acknowledged 192.168.1.2 from 192.168.1.1 `() { :;}; echo > vulnerable > /TEST' > dhcpcd[413]: eth0: checking for 192.168.1.

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread g...@1337.io
A quick test that was posted somewhere this morning.. Vulnerable or Not? You can check if you're vulnerable by running the following commands (code provided by the CSA). Open a terminal window and enter the following command at the $ prompt: env x='() { :;}; echo vulnerable' bash -c "echo this is

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Godin, Erik
It should be noted the fix for CVE-2014-6271 doesn't quite cover everything and subsequently CVE-2014-7169 was assigned. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 Regards, Erik GodinĀ  ___ Sent through the Full Disclosure mai

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Evan Teitelman
On Thu, Sep 25, 2014 at 02:39:55PM +0200, Philip Cheong wrote: > Worse that heartbleed? > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 > > http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ > dhcpcd is vulnerable. roo

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Yvan Janssens
+1 to Paul. Bash is a popular CGI scripting environment on embedded platforms which are around for quite a while already now. There's a lot of CPE out there running bash internally for it's management UI, since using more high-level languages wasn't always space/memory-efficient, and the busybox s

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Tony Arcieri
On Thu, Sep 25, 2014 at 8:55 AM, Michal Zalewski wrote: > In what way? It doesn't have a logo, so it's a bit better in my book. That's where you're wrong: https://pbs.twimg.com/media/ByVh24fCcAAy7mT.png -- Tony Arcieri ___ Sent through the Full Di

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Paul Vixie
> Philip Cheong > Thursday, September 25, 2014 5:39 AM > Worse that heartbleed? i think so. more below. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 > > http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-an

Re: [FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Michal Zalewski
> Worse that heartbleed? In what way? It doesn't have a logo, so it's a bit better in my book. But seriously, yup, it's probably worse - it likely affects more sites and trivially gives you remote shell. I have written down some technical details about the issue and the problems with all the pat

[FD] Critical bash vulnerability CVE-2014-6271

2014-09-25 Thread Philip Cheong
Worse that heartbleed? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ ___ Sent through the Full Disclosure mailing list http: