Remote Exploit Vulnerability Found In Bash - Page 2

rokytnji · posted: 2014-10-02 12:26

male wrote:and what is with
Code: Select all
$ env X='() { (a)=>\' sh -c"echo date"; cat echo 
male wrote:
__{{emoticon}}__

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7169"
linktext was:"http://en.wikipedia.org/wiki/Shellshock ... -2014-7169"
====================================

Code: Select all

harry@biker:~
$ env X='() { (a)=>\' sh -c"echo date"; cat echo 
date
cat: echo: No such file or directory

I'm cool. __{{emoticon}}__

I'd worry more about a wireless printer getting hacked or a weak password on my wireless router. But then. There are no hackers here
in the boondocks, Or Linux repo servers.
Except for me. __{{emoticon}}__

wildstar84 · posted: 2014-10-02 16:53

>dpkg --list | grep"bash"
ii bash 4.3-7 i386 GNU Bourne Again SHell
ii bash-completion 1:2.1-4 all programmable completion for the bash shell

Dave · posted: 2014-10-02 19:44

Hmm you must have bash from one of the higher up repos, as stable / Wheezy should be at version 4.2. And you are at 4.3.7.... maybe try changing the repo to testing, update bash and jump back to stable... because I am sure purging and installing the stable version would cause issues, unless someone else knows how to force package installation of an older version?

rokytnji · posted: 2014-10-02 21:24

More fun and games to run.

Code: Select all

harry@biker:~
$ curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2009  100  2009    0     0   2917      0 --:--:-- --:--:-- --:--:--  6630
CVE-2014-6271 (original shellshock): not vulnerable
bash: shellshocker: command not found
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable

wildstar84 · posted: 2014-10-03 22:59

Yep, I had originally used testing repos, lotz of dependency hell, with much effort got everything back right after switching to stable! I temporarily went back to testing & upgraded bash to latest in testing repo (4.3-9.2) and it seems to be fixed now! Thanks, Dave!

Alanarchy · posted: 2014-10-05 13:16

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole!

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/"
linktext was:"http://arstechnica.com/security/2014/09 ... ck-a-mole/"
====================================

fatmac · posted: 2014-10-06 07:54

All of this means that the Shellshock bug will likely require many older services to be simply shut off until patches are fully implemented and tested. And there are many devices in the field—embedded systems that run versions of the Linux operating system that don’t use a streamlined utility system such as BusyBox or some other shell—that will require attention as well.

So, if I was using BusyBox, or another shell, I am safe(?).

Alanarchy · posted: 2014-10-06 11:31

Considering that at any given moment, a spike in the power supply, say caused by a thunderstorm, could destroy your machine completely, you are probably relatively safe. Of course, bringing up probability, the probability of an event occurring was defined as number of cases favorable for the event, over the number of total outcomes possible in an equiprobable sample space.

Does that help __{{emoticon}}__ __{{emoticon}}__ __{{emoticon}}__

fatmac · posted: 2014-10-07 07:22

Yes, that makes perfect sense. __{{emoticon}}__
(As I don't run any root services, that I know of, & I don't keep the internet connected 24/7, I'm 'safe'.)