those of you who haven't been up into the small hours looking at the
bash shellshock bug:
summarized here:
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
which gives the following useful test
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
and claims the bug exists from version 1.13 .. 4.3.
It can be exploited with wget, ssh, http...
They quote NIST thus:
GNU Bash through 4.3 processes trailing strings after function
definitions in the values of environment variables, which allows
remote attackers to execute arbitrary code via a crafted
environment, as demonstrated by vectors involving the ForceCommand
feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the
Apache HTTP Server, scripts executed by unspecified DHCP clients,
and other situations in which setting the environment occurs across
a privilege boundary from Bash execution.
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows
unauthorized modification; Allows disruption of service
More details, and an http exploit, are in
http://seclists.org/oss-sec/2014/q3/650
Anyone on OS-X, it affects their bash, sh, csh, tcsh, zsh, ksh; ie, all
the distributed shells.
happy days...
_______________________________________________
luv-main mailing list
[email protected]
http://lists.luv.asn.au/listinfo/luv-main
