[Cialug] Shellshock Bash Remote Code Execution Vulnerability
Matt Stanton
matt at itwannabe.com
Thu Sep 25 11:07:28 CDT 2014
I did notice that Ubuntu put out a bash (among other things) update within the past couple of days. I had one VPS that I hadn't updated in the past week and another that I updated as soon as the update came out. The vulnerability test worked on the one that hadn't been updated, and failed on the updated VPS (obviously I updated the first VPS after running that test). So it appears that Ubuntu's most recent update has theoretically fixed the problem.
-- Matt (N0BOX)
Sent from my ASUS Transformer
-----Original Message-----
From: Nicolai <nicolai-cialug at chocolatine.org>
To: Central Iowa Linux Users Group <cialug at cialug.org>
Sent: Thu, 25 Sep 2014 10:39 AM
Subject: Re: [Cialug] Shellshock Bash Remote Code Execution Vulnerability
On Thu, Sep 25, 2014 at 09:34:39AM -0500, Sean Flattery wrote:
> If you haven't heard yet, yesterday they announced a huge bug in bash that
> allows attacker to remotely execute any bash commands without
> authentication. Any service that calls to Bash can be abused to run
> arbitrary commands.
>
> You can test this locally by running the following:
>
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
This reminds me of a PHF bug from around ~95-96. Pretty nasty.
Nicolai
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list