Jump to content


Photo

Shellshock Exploit

Admins beware

  • Please log in to reply
13 replies to this topic

#1 wlayton27

wlayton27

    Overlord

  • Atomican
  • 2,104 posts

Posted 10 October 2014 - 10:29 PM

Heard of the heartbleed bug? This one's an even bigger deal. Apparently, there's a newly discovered exploit in the BASH command line that interprets a string of characters or a string variable as an actual command in a very specific syntax.

 

http://www.youtube.com/watch?v=aKShnpOXqn0

 

also:

 

 

Been a while since I've used BASH scripting, so this syntax isn't exactly fresh in my head, but it still looks familiar.

 

Enough to make me think twice about running an outdated version of GNU/Linux. Much more alarming for system admins and web servers that use GNU tools, or for users who log in regularly to web servers that use GNU tools.


ASUS M4A87TD EVO; AM3 Phenom II Dual 555; EVGA GTX 460; Zalman CNPS10X Performa Cooler; Antec 300; ThermalTake TR2 500W

#2 Director

Director

    Immortal

  • Hero
  • 40,460 posts

Posted 11 October 2014 - 06:36 AM

So windows ftw?


"The most powerful tool in the hand of the opressor is the mind of the opressed."-- Steve Biko

Those Who Dance Are Considered Insane by Those Who Can’t Hear the Music.


#3 .:Cyb3rGlitch:.

.:Cyb3rGlitch:.

    Hero

  • Mod
  • 21,368 posts

Posted 11 October 2014 - 12:21 PM

The take away here is that every non-trivial piece of software is likely exploitable unless you have formally verified it safe. Good luck finding people who know how to do that outside research facilities like Nicta (whose future is uncertain thanks to Abbott). Even then, you're still open to social engineering tactics.

"We are a way for the cosmos to know itself." - Carl Sagan
"I do not fear death. I had been dead for billions and billions of years before I was born, and had not suffered the slightest inconvenience from it." - Mark Twain
 
An open mind is willing to consider new ideas, while provisionally accepting those backed by empirical evidence, and provisionally rejecting those without.


#4 noskcaj

noskcaj

    Primarch

  • Atomican
  • 1,260 posts
  • Location:Armidale, New South Wales

Posted 12 October 2014 - 05:38 AM

It's been patched in pretty much every supported OS, ubuntu isn't hugely affected as it uses DASH, and debian has now changed to DASH because of this.


I am an Ubuntu developer, send me a PM if you would like to join the ubuntu team or have a question

#5 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,913 posts
  • Location:QLD

Posted 16 October 2014 - 12:11 PM

And there in lies the advantage; It'd take months, or at least weeks, for microsoft to engineer a patch to a similar problem.

Linux is already on top of it; lol


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#6 SquallStrife

SquallStrife

    Really knows where his towel is

  • Atomican
  • 17,936 posts

Posted 17 October 2014 - 07:35 AM

And there in lies the advantage; It'd take months, or at least weeks, for microsoft to engineer a patch to a similar problem.
Linux is already on top of it; lol


lol

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating? In the case of Sasser, the vulnerability was patched on "Patch Tuesday" *two weeks* before the worm was found "in the wild".

If people had Windows Update set to automatically install updates, they wouldn't have been as widespread as they were.

But because IT "pros" were ignorant/arrogant about enabling automatic updates (myself included), they spread like wildfire.

Tell me, how often do you "apt-get update && apt-get upgrade" (or equivalent)?

Edited by SquallStrife, 17 October 2014 - 07:38 AM.

SyDjDDk.png [retro swim] | AzpUvwG.png @retroswimau | q5O6HgO.png +RetroSwim
四時半を待っています!

#7 Xen

Xen

    Overlord

  • Atomican
  • 3,001 posts

Posted 17 October 2014 - 12:30 PM

 

And there in lies the advantage; It'd take months, or at least weeks, for microsoft to engineer a patch to a similar problem.
Linux is already on top of it; lol


lol

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating? In the case of Sasser, the vulnerability was patched on "Patch Tuesday" *two weeks* before the worm was found "in the wild".

If people had Windows Update set to automatically install updates, they wouldn't have been as widespread as they were.

But because IT "pros" were ignorant/arrogant about enabling automatic updates (myself included), they spread like wildfire.

Tell me, how often do you "apt-get update && apt-get upgrade" (or equivalent)?

 

 

Once a week on a production machine, every day on dev machines.

 

I zypper up my work machine daily too.



#8 noskcaj

noskcaj

    Primarch

  • Atomican
  • 1,260 posts
  • Location:Armidale, New South Wales

Posted 18 October 2014 - 06:21 AM

 

And there in lies the advantage; It'd take months, or at least weeks, for microsoft to engineer a patch to a similar problem.
Linux is already on top of it; lol


lol

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating? In the case of Sasser, the vulnerability was patched on "Patch Tuesday" *two weeks* before the worm was found "in the wild".

If people had Windows Update set to automatically install updates, they wouldn't have been as widespread as they were.

But because IT "pros" were ignorant/arrogant about enabling automatic updates (myself included), they spread like wildfire.

Tell me, how often do you "apt-get update && apt-get upgrade" (or equivalent)?

 

Daily on startup with my chroot updates, and my gaming pc (ubuntu) has auto updates.


I am an Ubuntu developer, send me a PM if you would like to join the ubuntu team or have a question

#9 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,913 posts
  • Location:QLD

Posted 18 October 2014 - 09:44 AM

Yep, daily here too. Its part of the startup script.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#10 Leonid

Leonid

    Immortal

  • Atomican't
  • 40,505 posts

Posted 18 October 2014 - 05:45 PM

I patch once a month.

 

When you have mail relays handling 200,000+ emails a day, "yum update -y" is not something you do lightly.


"I'd rather die standing up than live on my knees." - Stephane Charbonnier (1967-2015)

"If liberty means anything, it means the right to tell people what they do not want to hear." - George Orwell

#11 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,913 posts
  • Location:QLD

Posted 20 October 2014 - 08:45 AM

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating? 

 

How as that possible?

Did they know the writer and ask for a pre-release copy?

 

Surely it had to be in the wold propagating before they could have known about it.... Conspiracy theory?

 

But yeah, it was still a 'Tuesday update' rollout, unlike *nix which was daily; but I'm not trying to fanboi either. I'm a windows guy at heart. It's just a true advantage of open source showing its head.


Edited by Master_Scythe, 20 October 2014 - 08:46 AM.

Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#12 SquallStrife

SquallStrife

    Really knows where his towel is

  • Atomican
  • 17,936 posts

Posted 20 October 2014 - 09:40 AM

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating?

 
How as that possible?
Did they know the writer and ask for a pre-release copy?


The RPC patch for Blaster had already been out for a month when a Polish hacker group discovered and disclosed the vulnerability. Basically, if you kept yourself up to date, you had nothing to worry about. Plenty of people didn't keep themselves up to date though. This was 2003, still lots of dialup internet and small quota broadband. You didn't want updates hogging your 5KB/s of dialup bandwidth or eating through your 3GB of Bigpond Advance quota.

Edited by SquallStrife, 20 October 2014 - 09:54 AM.

SyDjDDk.png [retro swim] | AzpUvwG.png @retroswimau | q5O6HgO.png +RetroSwim
四時半を待っています!

#13 neubejiita

neubejiita

    Apprentice

  • Quark
  • 65 posts
  • Location:Wagga Wagga

Posted 17 August 2015 - 11:39 AM

The shellshock Linux bug still works on Debian 8.

env VAR1='me() {echo "hello"}\ ' /bin/touch /home/$LOGNAME/my.text

Give this a try on your box. Did you get a text file?


"The same folks that are bombing innocent people in Iraq were the ones who attacked us in America on September the 11th." --George W Bush, Washington, D.C, July 12, 2007

#14 Xen

Xen

    Overlord

  • Atomican
  • 3,001 posts

Posted 17 August 2015 - 12:46 PM

Still works on all the machines I'm running.

 

Debian 8.1

OpenSUSE 13.2

SUSE 12

RHEL 6.7






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users