[Security] Update bash *NOW*

Clive DaSilva cdasilva-q6EoVN9bke6w5LPnMra/2Q at public.gmane.org
Fri Sep 26 16:40:28 UTC 2014


On this subject, I have three Linux boxes in my basement, two are Fedora 20, and one Linuxmint 17. It seems as if I am getting bash and dbus updates once or twice a day now.

Clive

-----Original Message-----
From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug-lxSQFCZeNF4 at public.gmane.org] On Behalf Of Darryl Moore
Sent: September-26-14 10:49 AM
To: tlug-lxSQFCZeNF4 at public.gmane.org
Subject: Re: [TLUG]: [Security] Update bash *NOW*

I've checked our servers. From what I've seen, for the exploit to work with apache, you need to have CGI enabled, have a bash script in the cgi-bin directory, and do a crafted http request for that script. If the executable file requested does not exist, or if it is not a bash script, the exploit will not work.

I did find attempts to hack our machines today, but due to the above constraints, they appear to have failed.

None the less, we are updating bash on everything as we speak.

Regards,
Darryl

On 14-09-25 08:15 PM, Scott Elcomb wrote:
> On Wed, Sep 24, 2014 at 10:03 PM, Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> wrote:
>>   Slashdot article 
>> http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulne
>> rability-found-in-bash
>>
>>   Story at 
>> http://www.csoonline.com/article/2687265/application-security/remote-
>> exploit-in-bash-cve-2014-6271.html
>>
>>   CVE ID CVE-2014-6271 at http://seclists.org/oss-sec/2014/q3/650
>>
>>   Summary... bash scripts, CGI, perl via "system()", and various 
>> other "commands" invoke a bash shell at times, passing environmental 
>> variables in the process.  Problem is that an "environmental 
>> variable" ***CAN CONTAIN A FUNCTION DEFINITION, AND EXECUTE IT WHILST 
>> SPAWNING A NEW SHELL***.  E.g. execute the command...
> 
> Some scary bits I've seen today:
> 
> Looks like DHCP servers can leverage it:
> <https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-c
> oncept/>
> 
> Web server log entry with a shellshock signature and wanting to run rm 
> -rf / <https://twitter.com/danielcid/status/515244941380177920>
> 
> And via <http://beta.slashdot.org/story/207709> there's now a 'wopbot'
> on the loose: 
> <http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-
> akamai-us-dod-networks.aspx>
> 
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list