Jump to content
Sign in to follow this  
wlayton27

Shellshock Exploit

Recommended Posts

Heard of the heartbleed bug? This one's an even bigger deal. Apparently, there's a newly discovered exploit in the BASH command line that interprets a string of characters or a string variable as an actual command in a very specific syntax.

 

http://www.youtube.com/watch?v=aKShnpOXqn0

 

also:

 

 

Been a while since I've used BASH scripting, so this syntax isn't exactly fresh in my head, but it still looks familiar.

 

Enough to make me think twice about running an outdated version of GNU/Linux. Much more alarming for system admins and web servers that use GNU tools, or for users who log in regularly to web servers that use GNU tools.

Share this post


Link to post
Share on other sites

The take away here is that every non-trivial piece of software is likely exploitable unless you have formally verified it safe. Good luck finding people who know how to do that outside research facilities like Nicta (whose future is uncertain thanks to Abbott). Even then, you're still open to social engineering tactics.

  • Like 1

Share this post


Link to post
Share on other sites

It's been patched in pretty much every supported OS, ubuntu isn't hugely affected as it uses DASH, and debian has now changed to DASH because of this.

Share this post


Link to post
Share on other sites

And there in lies the advantage; It'd take months, or at least weeks, for microsoft to engineer a patch to a similar problem.

Linux is already on top of it; lol

Share this post


Link to post
Share on other sites

And there in lies the advantage; It'd take months, or at least weeks, for microsoft to engineer a patch to a similar problem.

Linux is already on top of it; lol

lol

 

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating? In the case of Sasser, the vulnerability was patched on "Patch Tuesday" *two weeks* before the worm was found "in the wild".

 

If people had Windows Update set to automatically install updates, they wouldn't have been as widespread as they were.

 

But because IT "pros" were ignorant/arrogant about enabling automatic updates (myself included), they spread like wildfire.

 

Tell me, how often do you "apt-get update && apt-get upgrade" (or equivalent)?

Edited by SquallStrife

Share this post


Link to post
Share on other sites

 

And there in lies the advantage; It'd take months, or at least weeks, for microsoft to engineer a patch to a similar problem.

Linux is already on top of it; lol

lol

 

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating? In the case of Sasser, the vulnerability was patched on "Patch Tuesday" *two weeks* before the worm was found "in the wild".

 

If people had Windows Update set to automatically install updates, they wouldn't have been as widespread as they were.

 

But because IT "pros" were ignorant/arrogant about enabling automatic updates (myself included), they spread like wildfire.

 

Tell me, how often do you "apt-get update && apt-get upgrade" (or equivalent)?

 

 

Once a week on a production machine, every day on dev machines.

 

I zypper up my work machine daily too.

Share this post


Link to post
Share on other sites

 

And there in lies the advantage; It'd take months, or at least weeks, for microsoft to engineer a patch to a similar problem.

Linux is already on top of it; lol

lol

 

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating? In the case of Sasser, the vulnerability was patched on "Patch Tuesday" *two weeks* before the worm was found "in the wild".

 

If people had Windows Update set to automatically install updates, they wouldn't have been as widespread as they were.

 

But because IT "pros" were ignorant/arrogant about enabling automatic updates (myself included), they spread like wildfire.

 

Tell me, how often do you "apt-get update && apt-get upgrade" (or equivalent)?

 

Daily on startup with my chroot updates, and my gaming pc (ubuntu) has auto updates.

Share this post


Link to post
Share on other sites

I patch once a month.

 

When you have mail relays handling 200,000+ emails a day, "yum update -y" is not something you do lightly.

Share this post


Link to post
Share on other sites

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating?

 

How as that possible?

Did they know the writer and ask for a pre-release copy?

 

Surely it had to be in the wold propagating before they could have known about it.... Conspiracy theory?

 

But yeah, it was still a 'Tuesday update' rollout, unlike *nix which was daily; but I'm not trying to fanboi either. I'm a windows guy at heart. It's just a true advantage of open source showing its head.

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

 

Did you know Microsoft patched the Blaster/Welchia and Sasser vulnerabilities *before* they were disclosed and the worms started propagating?

How as that possible?

Did they know the writer and ask for a pre-release copy?

 

The RPC patch for Blaster had already been out for a month when a Polish hacker group discovered and disclosed the vulnerability. Basically, if you kept yourself up to date, you had nothing to worry about. Plenty of people didn't keep themselves up to date though. This was 2003, still lots of dialup internet and small quota broadband. You didn't want updates hogging your 5KB/s of dialup bandwidth or eating through your 3GB of Bigpond Advance quota.

Edited by SquallStrife

Share this post


Link to post
Share on other sites

The shellshock Linux bug still works on Debian 8.

env VAR1='me() {echo "hello"}\ ' /bin/touch /home/$LOGNAME/my.text

Give this a try on your box. Did you get a text file?

Share this post


Link to post
Share on other sites

Still works on all the machines I'm running.

 

Debian 8.1

OpenSUSE 13.2

SUSE 12

RHEL 6.7

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×