[I wrote this for another list, forwarding in case it's useful]
Flurry of updates, in very rough order of importance/interestingness:
Good summaries to send to anyone joining the party late:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
https://access.redhat.com/articles/1200223
The shellshock/badbash vuln now has a zero-day exploiting 2014-6271:
https://twitter.com/yinettesys/status/515012126268604416
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
https://gist.github.com/anonymous/929d622f3b36b00c0be1
https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/
Rules for original vuln:
Snort: https://www.snort.org/advisories/vrt-rules-2014-09-24
Bro: https://github.com/CriticalStack/bro-scripts
Current fix incomplete, new CVE is CVE-2014-7169:
https://twitter.com/taviso/statuses/514887394294652929
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
http://www.openwall.com/lists/oss-security/2014/09/24/32 [and responses]
Patch for incomplete patch:
http://www.openwall.com/lists/oss-security/2014/09/25/10
Metasploit module for original vuln:
https://github.com/rapid7/metasploit-framework/commit/ff5398bf3f46c057666f7a3d0afaf4c0d6912575
Some busybox may also be affected:
https://twitter.com/dakami/status/514972098368794625
Informative new posts:
https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
Robert Graham's masscan of just the default page by IP (so a lower bound)
is here, but actually aborted and he'll be re-running:
Exploit possibilities walkthrough, including fetching results:
https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
Tester (not complete; should spider entire site):
Landscape of obvious targets:
https://www.google.com/search?q=filetype%3Ash+inurl%3Acgi-bin
Funniest one-liner so far:
https://twitter.com/koizuka/status/515098006895349760
Akihiko Koizuka @koizuka 2h
() { :;}; /usr/bin/eject
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Sep 25 06:40:21 2014
This archive was generated by hypermail 2.1.8 : Thu Sep 25 2014 - 06:40:21 AKDT