[Cialug] Shellshock Bash Remote Code Execution Vulnerability

David Champion dchamp1337 at gmail.com
Thu Sep 25 11:10:09 CDT 2014


Looks like CentOS has it patched as well.

-dc

On Thu, Sep 25, 2014 at 11:07 AM, Matt Stanton <matt at itwannabe.com> wrote:

> I did notice that Ubuntu put out a bash (among other things) update within
> the past couple of days.  I had one VPS that I hadn't updated in the past
> week and another that I updated as soon as the update came out.  The
> vulnerability test worked on the one that hadn't been updated, and failed
> on the updated VPS (obviously I updated the first VPS after running that
> test).  So it appears that Ubuntu's most recent update has theoretically
> fixed the problem.
>
> -- Matt (N0BOX)
>
> Sent from my ASUS Transformer
>
> -----Original Message-----
> From: Nicolai <nicolai-cialug at chocolatine.org>
> To: Central Iowa Linux Users Group <cialug at cialug.org>
> Sent: Thu, 25 Sep 2014 10:39 AM
> Subject: Re: [Cialug] Shellshock Bash Remote Code Execution Vulnerability
>
> On Thu, Sep 25, 2014 at 09:34:39AM -0500, Sean Flattery wrote:
> > If you haven't heard yet, yesterday they announced a huge bug in bash
> that
> > allows attacker to remotely execute any bash commands without
> > authentication.  Any service that calls to Bash can be abused to run
> > arbitrary commands.
> >
> > You can test this locally by running the following:
> >
> > env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> This reminds me of a PHF bug from around ~95-96.  Pretty nasty.
>
> Nicolai
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


More information about the Cialug mailing list