Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-10-01 Thread Jan Schaumann
Joe Morris wrote: > ubik% env X="() { :;} ; echo busted" /bin/sh -c "echo stuff" You are invoking /bin/sh here. That is only testing whether or not /bin/sh is vulnerable, not whether the parent shell that happens to run to invoke /bin/sh is vulnerable. I'm going to guess that on your system /

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-10-01 Thread Brandon Allbery
On Sat, Sep 27, 2014 at 10:28 PM, Joe Morris wrote: > Could very well be a flawed test. It's not failing on NetBSD now, but still > is on OS X. I didn't think to grab the version for either before > > ubik% env X="() { :;} ; echo busted" /bin/sh -c "echo stuff" > busted > stuff > ubik% echo $ZSH_

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-10-01 Thread Joe Morris
Not so long ago, jscha...@netmeister.org wrote: > Joe Morris wrote: > > > The versions of zsh I have available are all vulnerable as well as Korn > > Shell > > on NetBSD (can't remember if that's the real thing or a clone) > > [citation needed] > > I can't reproduce this for either. Can you

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-30 Thread ge...@riseup.net
On 14-09-25 10:13:35, Yves Dorfsman wrote: > Anybody has any idea when Apple might release a proper patch? Apple released fixes for: - 10.9 [1] - 10.8 [2] - 10.7 [3] Greetings, Georg [1] http://support.apple.com/kb/DL1769 [2] http://support.apple.com/kb/DL1768 [3] http://support.apple.com/kb/DL

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-27 Thread Jan Schaumann
Joe Morris wrote: > The versions of zsh I have available are all vulnerable as well as Korn Shell > on NetBSD (can't remember if that's the real thing or a clone) [citation needed] I can't reproduce this for either. Can you show you tested this and found it to be vulnerable? -Jan pgpLP_zrh

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-27 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 1:49 PM, Joe Morris wrote: > The versions of zsh I have available are all vulnerable as well as Korn > Shell > on NetBSD (can't remember if that's the real thing or a clone) > Er? zsh here is not vulnerable, although it has its own kinds of issues. Then again, zsh doesn't

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-27 Thread Joe Morris
Not so long ago, allber...@gmail.com wrote: > On Fri, Sep 26, 2014 at 11:59 AM, Doug Hughes wrote: > > > If the CGI in question is bash, this by itself is sufficient to get it to > > execute code that it otherwise should not have. > > > Or if the CGI is executed by a mechanism which involves /b

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-27 Thread Edward Ned Harvey (lopser)
> From: Brandon Allbery [mailto:allber...@gmail.com] > > P.S. "...disbelieve any X is that stupid" is usually a sucker bet. heheheh... touchee.;-) P.P.S. "I disbelieve X" is also reverse psychology for "You look it up and post your findings here." ;-) And I'm glad I did (and glad you

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 5:52 PM, Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote: > If the dhcp client behaves as Paul suggested it might - which is to say, > stupidly accepting unsanitized ENV variables from a DHCP server I'd like to make one more point here: neither dhclient nor dhcli

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 6:35 PM, Yves Dorfsman wrote: > Ah, I get it, I thought you meant if there were a linux / android box on > the > same network, one could implement the dhcp attack. > One can surely implement it, but the targets are restricted to other laptop/desktop Linux boxes. You can't

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Yves Dorfsman
On 2014-09-26 15:53, Brandon Allbery wrote: > On Fri, Sep 26, 2014 at 5:45 PM, Yves Dorfsman > wrote: > > But this is my concern... > Business (notn-technical) users using their laptop on a public wifi such > as an > overpriced coffee shop or in an airport. >

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 5:52 PM, Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote: > But I am biased to disbelieve any dhcp client is that stupid, unless I > hear otherwise. P.S. "...disbelieve any X is that stupid" is usually a sucker bet. -- brandon s allbery kf8nh

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 5:54 PM, Brandon Allbery wrote: > man 8 dhclient-script And for those without ready access for some reason: When dhclient(8) needs to invoke the client configuration script, it sets > > up a number of environment variables and runs dhclient-script. In all > >

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 5:52 PM, Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote: > But I am biased to disbelieve any dhcp client is that stupid, unless I > hear otherwise. man 8 dhclient-script Read it and weep. -- brandon s allbery kf8nh sine nomine as

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 5:45 PM, Yves Dorfsman wrote: > But this is my concern... > Business (notn-technical) users using their laptop on a public wifi such > as an > overpriced coffee shop or in an airport. > But you also asked about OS X, and it doesn't feed unsanitized DHCP options through th

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Edward Ned Harvey (lopser)
> From: Doug Hughes [mailto:d...@will.to] > > The dhcp issue is potentially exploitable, but much more difficult and less > risky in practice If the dhcp client behaves as Paul suggested it might - which is to say, stupidly accepting unsanitized ENV variables from a DHCP server, then it would b

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Yves Dorfsman
On 2014-09-26 15:19, Brandon Allbery wrote: > > ...or has the minimal wherewithal to run a rogue DHCP server on a random > Windows box, which doesn't have the concept of privileged ports, or on a > personal Linux laptop where they have root so the point is moot. How many > places will allow random

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Doug Hughes
Indeed, there are places and situations where this is much more risky than others. On Fri, Sep 26, 2014 at 5:19 PM, Brandon Allbery wrote: > On Fri, Sep 26, 2014 at 4:56 PM, Doug Hughes wrote: > >> The dhcp issue is potentially exploitable, but much more difficult and >> less risky in practice

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 4:56 PM, Doug Hughes wrote: > The dhcp issue is potentially exploitable, but much more difficult and > less risky in practice because that's an internal function and the > exploiter would have to bind his server to a privileged port meaning you > are already owned. ...or

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Doug Hughes
Agreed, for most users this is likely a non-issue. However, I don't think the media hype is purely hype. This is a widespread very serious problem for a really large number of web servers, probably more serious than heartbleed. The dhcp issue is potentially exploitable, but much more difficult an

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Edward Ned Harvey (lopser)
> From: Doug Hughes [mailto:d...@will.to] > > All that is needed is to change the HTTP request headers which are required > by spec to be converted into environment variables. If the CGI in question is > bash Thank you for that - indeed I did not know. But the conclusion in my eyes hasn't chang

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Paul Graydon
In some cases, depending on the underlying language, it depends on how the call is structured. e.g. "/usr/local/bin/foo" would be executed directly by the process, where "/usr/local/bin/foo | bar" used in exactly the same place, gets executed via popen, calling sh (which is frequently bash). G

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Theo Van Dinter
FYI, the CGI being executed doesn't need to be a bash script. If your webserver runs a CGI via system() or popen() call, both of those execute the command by running bash, ie: bash -c "/path/to/your/binary.cgi". (Well, technically they usually run "/bin/sh -c", but /bin/sh is often bash.) On Fri,

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 3:26 PM, Paul Graydon wrote: > Sure.. my point is more that a number of programs on your machine might be > calling bash without you realising it, and that this exploit doesn't > necessarily require someone to already have access to your laptop, which > was the assertion I

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Yves Dorfsman
On 2014-09-26 13:04, Brandon Allbery wrote: > > There are more DHCP clients than just ISC dhclient. OS X uses something > completely different, as far as I can tell; most likely it's based around > launchd and uses Mach ports and other OS X-specific IPC instead of relying on > the environment, and

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Paul Graydon
On 09/26/14 12:04, Brandon Allbery wrote: On Fri, Sep 26, 2014 at 2:27 PM, Paul Graydon > wrote: It's not as simple (or accurate) as that. dhclient that runs on your machine to pick up IP addresses from a dhcp server runs as root, and uses bash directl

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 2:27 PM, Paul Graydon wrote: > It's not as simple (or accurate) as that. dhclient that runs on your > machine to pick up IP addresses from a dhcp server runs as root, and uses > bash directly (regardless of what yours or roots shell is). I don't know > what OS X does spe

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Paul Graydon
On 09/25/14 15:29, Edward Ned Harvey (lopser) wrote: From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On Behalf Of Yves Dorfsman What do you guys do for your OS X non-techincal users? Give them instructions on how to update bash manually? Give them instructions on how to

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 2:01 PM, Tom Perrine wrote: > seem to recall some info from yesterday that the example on escape > to shell that's in the PHP book is vulnerable. > If run via cgi or fastcgi/cgi, very probably. Via mod_php, are there significant envars or does the context come from somewh

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Tom Perrine
I seem to recall some info from yesterday that the example on escape to shell that's in the PHP book is vulnerable. How many PHP pages out there are hacked version of the samples in the PHP book(s)? How many sites out there have "status", "debug" and learning apps that escape to shell, and no one

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Brandon Allbery
On Fri, Sep 26, 2014 at 11:59 AM, Doug Hughes wrote: > If the CGI in question is bash, this by itself is sufficient to get it to > execute code that it otherwise should not have. Or if the CGI is executed by a mechanism which involves /bin/sh, *and* /bin/sh is bash. In this case, the language t

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Doug Hughes
Ned, I think you have under-estimated the severity, perhaps because of stale information? (just a guess). Here's a good analysis of the bug from Johannes Ullrich: https://isc.sans.edu//#__utma=216335632.847683870.1411746865.1411746865.1411746865.1&__utmb=216335632.6.9.1411746895232&__utmc=216335632

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-26 Thread Edward Ned Harvey (lopser)
> From: Brandon Allbery [mailto:allber...@gmail.com] > > I haven't looked to see if Apple's "Web Sharing" involves any CGI scripts. If > it > does, then Web Sharing is vulnerable. If you have any web server that will execute arbitrary code uploaded by a client, that would be vulnerable, but the

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-25 Thread Brandon Allbery
On Thu, Sep 25, 2014 at 6:29 PM, Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote: > My opinion: The only way to exploit the bug is to *first* run some > malicious code that would tweak your environment such that the bug is then > being exploited. I haven't looked to see if Apple's "Web

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-25 Thread Ski Kacoroski
On 09/25/2014 03:29 PM, Edward Ned Harvey (lopser) wrote: From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On Behalf Of Yves Dorfsman What do you guys do for your OS X non-techincal users? Give them instructions on how to update bash manually? Give them instructions on

Re: [lopsa-tech] OS X bash bug and non-techinical users

2014-09-25 Thread Edward Ned Harvey (lopser)
> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Yves Dorfsman > > What do you guys do for your OS X non-techincal users? > > Give them instructions on how to update bash manually? > Give them instructions on how to close port 22 and 80 when using public w