Re: [AFMUG] Bash specially-crafted environment variables codeinjection attack

Sun, 28 Sep 2014 16:00:57 -0700 

I would go after the usual soft targets – Wordpress and Joomla sites.

From: Josh Reynolds via Af 
Sent: Sunday, September 28, 2014 4:20 PM
To: af@afmug.com 
Subject: Re: [AFMUG] Bash specially-crafted environment variables codeinjection 
attack

Honestly if I was going to exploit this attack vector to the fullest, the very 
first thing I would do is exploit a local machine with malware via email or 
malicious web app... then use said computer to nmap all RFC1918 space and that 
data collection to run various "shellshock" against potential vulnerable 
machines/services.

Always patch your systems.

Josh Reynolds, Chief Information Officer
SPITwSPOTS, www.spitwspots.com

On 09/28/2014 12:24 PM, That One Guy via Af wrote:

  so if its a dns server with only dns open on the external firewall, but is 
running a management interface for internal management, is it vulnerable 
eaxternally since the only inbound access are DNS ports and im assuming apche 
doesnt defaultly listen on those ports

  On Sun, Sep 28, 2014 at 1:13 PM, Josh Reynolds via Af <af@afmug.com> wrote:

    If it ONLY does dhcp/dns/ntp, that's fine.

    If it also has a base apache install, it's likely vulnerable :)

    Josh Reynolds, Chief Information Officer
    SPITwSPOTS, www.spitwspots.com

    On 09/28/2014 06:38 AM, Ken Hohhof via Af wrote:

      Why?

      Take the case of a dedicated server that only does let’s say DHCP or DNS 
or NTP.  It only has one port open to the Internet, and there’s no way to get 
to a bash shell via that port.  How the hell is someone going to pass an 
environment variable to a bash shell on that server?



      From: Shayne Lebrun via Af 
      Sent: Sunday, September 28, 2014 8:40 AM
      To: af@afmug.com 
      Subject: Re: [AFMUG] Bash specially-crafted environment variables 
codeinjection attack

      Ø  I think the articles have maybe overstated the risk a bit, since you 
would need to either authenticate (at least as a regular user) to get to a 
shell, or find a publicly exposed script that will pass an environment variable 
to bash for you.



      Please don’t think like this.  



      From: Af [mailto:af-bounces+slebrun=muskoka....@afmug.com] On Behalf Of 
Ken Hohhof via Af
      Sent: Saturday, September 27, 2014 1:38 PM
      To: af@afmug.com
      Subject: Re: [AFMUG] Bash specially-crafted environment variables code 
injection attack



      So maybe I won’t do that.



      The newer servers where I could just do a yum update have been 
straightforward, as you’d expect.



      I think the articles have maybe overstated the risk a bit, since you 
would need to either authenticate (at least as a regular user) to get to a 
shell, or find a publicly exposed script that will pass an environment variable 
to bash for you.



      From: Jeremy via Af 

      Sent: Saturday, September 27, 2014 12:13 PM

      To: af@afmug.com 

      Subject: Re: [AFMUG] Bash specially-crafted environment variables code 
injection attack



      Our webserver was vulnerable.  Tried to fix it without backing it up 
first....yeah, I know.  Lost it all.  So I guess I will be building a new 
website from my 2013 backup this weekend.  It's a good thing I carpet bombed my 
website to prevent anyone from messing with it!



      On Sat, Sep 27, 2014 at 10:25 AM, Ken Hohhof via Af <af@afmug.com> wrote:

      Unfortunately I have a couple old servers running RHEL4 and one old 
BlueQuartz webhosting appliance based on CentOS4.  I’m a little reluctant to 
try compiling the patch myself unless I switch to a difference shell first, if 
I screw up my command shell it might be difficult to fix.



      Any guess if I’d be safe using the RPM cited in this thread:

      
http://serverfault.com/questions/631055/how-do-i-patch-rhel-4-for-the-bash-vulnerabilities-in-cve-2014-6271-and-cve-2014



      the RPM it points to is:



      
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/bash-3.0-27.0.2.el4.i386.rpm





      From: Ty Featherling via Af 

      Sent: Saturday, September 27, 2014 10:52 AM

      To: af@afmug.com 

      Subject: Re: [AFMUG] Bash specially-crafted environment variables code 
injection attack



      Yeah probably the NSA! Hahaha! 

      -Ty

      On Sep 26, 2014 10:36 PM, "That One Guy via Af" <af@afmug.com> wrote:

      Man I bet theres some guy whose been exploiting this for 20 years who is 
pissed right now



      On Fri, Sep 26, 2014 at 1:54 PM, Ty Featherling via Af <af@afmug.com> 
wrote:

      CentOS on some, Ubuntu on others. Already got the answers in this thread 
though, thanks. 



      -Ty



      On Fri, Sep 26, 2014 at 11:54 AM, Mike Hammett via Af <af@afmug.com> 
wrote:

      Which distribution?



      -----
      Mike Hammett
      Intelligent Computing Solutions
      http://www.ics-il.com




--------------------------------------------------------------------------

      From: "Ty Featherling via Af" <af@afmug.com>
      To: af@afmug.com
      Sent: Thursday, September 25, 2014 2:42:31 PM
      Subject: Re: [AFMUG] Bash specially-crafted environment variables code 
injection attack

      Noob question but how can I easiest update my linux boxes to get the 
latest patches? 



      -Ty



      On Thu, Sep 25, 2014 at 1:59 PM, Josh Reynolds via Af <af@afmug.com> 
wrote:

      Upgraded our systems at 6am yesterday for this. Also pulled the bash .deb 
out of debian-stable/security for our ubiquiti edgerouters. (I made on a post 
on the UBNT forum with the CVE info yesterday.)

      Side note: TONS of things are affected by this...

      Josh Reynolds, Chief Information Officer
      SPITwSPOTS, www.spitwspots.com

      On 09/25/2014 10:25 AM, Peter Kranz via Af wrote:

PS.. This vulnerability can be exploited via HTTP/Apache attack vectors, so you 
need to patch any vulnerable system running Apache. Peter KranzFounder/CEO - 
Unwired Ltdwww.UnwiredLtd.comDesk: 510-868-1614 x100Mobile: 
510-207-0000pkr...@unwiredltd.com -----Original Message-----From: Af 
[mailto:af-bounces+pkranz=unwiredltd....@afmug.com] On Behalf Of Matt via 
AfSent: Thursday, September 25, 2014 10:27 AMTo: af@afmug.comSubject: [AFMUG] 
Bash specially-crafted environment variables code injection attack Bash 
specially-crafted environment variables code injection attack 
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
 













      -- 

      All parts should go together without forcing. You must remember that the 
parts you are reassembling were disassembled by you. Therefore, if you can't 
get them together again, there must be a reason. By all means, do not use a 
hammer. -- IBM maintenance manual, 1925









  -- 

  All parts should go together without forcing. You must remember that the 
parts you are reassembling were disassembled by you. Therefore, if you can't 
get them together again, there must be a reason. By all means, do not use a 
hammer. -- IBM maintenance manual, 1925

Reply via email to