[Cialug] Shellshock Bash Remote Code Execution Vulnerability

Thomas Kula kula at tproa.net
Thu Sep 25 09:43:33 CDT 2014


On Thu, Sep 25, 2014 at 09:34:39AM -0500, Sean Flattery wrote:
> If you haven't heard yet, yesterday they announced a huge bug in bash that
> allows attacker to remotely execute any bash commands without
> authentication.  Any service that calls to Bash can be abused to run
> arbitrary commands.
> 
> You can test this locally by running the following:
> 
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> 
> If Bash echoes out the word vulnerable, you're at risk.  For a good writeup
> see this article:
> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html


FYI, the first patch was incomplete, pay attention to
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 for
details on that. 


-- 
Thomas L. Kula | kula at tproa.net | http://kula.tproa.net/


More information about the Cialug mailing list