[aklug] CVE-2014-6271 - critical bash vulnerability

From: Royce Williams <royce@tycho.org>
Date: Thu Sep 25 2014 - 06:39:31 AKDT

[I wrote this for another list, forwarding in case it's useful]

Flurry of updates, in very rough order of importance/interestingness:

Good summaries to send to anyone joining the party late:

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
https://access.redhat.com/articles/1200223

The shellshock/badbash vuln now has a zero-day exploiting 2014-6271:

https://twitter.com/yinettesys/status/515012126268604416
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
https://gist.github.com/anonymous/929d622f3b36b00c0be1
https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/

Rules for original vuln:

Snort: https://www.snort.org/advisories/vrt-rules-2014-09-24
Bro: https://github.com/CriticalStack/bro-scripts

Current fix incomplete, new CVE is CVE-2014-7169:

https://twitter.com/taviso/statuses/514887394294652929
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
http://www.openwall.com/lists/oss-security/2014/09/24/32 [and responses]

Patch for incomplete patch:

http://www.openwall.com/lists/oss-security/2014/09/25/10

Metasploit module for original vuln:

https://github.com/rapid7/metasploit-framework/commit/ff5398bf3f46c057666f7a3d0afaf4c0d6912575

Some busybox may also be affected:

https://twitter.com/dakami/status/514972098368794625

Informative new posts:

https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

Robert Graham's masscan of just the default page by IP (so a lower bound)
is here, but actually aborted and he'll be re-running:

http://blog.erratasec.com/

Exploit possibilities walkthrough, including fetching results:

https://www.invisiblethreat.ca/2014/09/cve-2014-6271/

Tester (not complete; should spider entire site):

http://check.shellshock.info/

Landscape of obvious targets:

https://www.google.com/search?q=filetype%3Ash+inurl%3Acgi-bin

Funniest one-liner so far:

https://twitter.com/koizuka/status/515098006895349760
Akihiko Koizuka ‏@koizuka 2h
() { :;}; /usr/bin/eject

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Sep 25 06:40:21 2014

This archive was generated by hypermail 2.1.8 : Thu Sep 25 2014 - 06:40:21 AKDT