[aklug] Re: CVE-2014-6271 - critical bash vulnerability

Royce,

Thanks for covering this...I was going to post something later this evening.

You have saved me the trouble!

Looks easy enough to patch.

I'd like to also talk about the access vectors.

It looks like only shelling into the box exposes this particular
remote exploit.

Are there other avenues of access?

Mike B.
Quoting Royce Williams <royce@tycho.org>:

> [I wrote this for another list, forwarding in case it's useful]
>
>
> Flurry of updates, in very rough order of importance/interestingness:
>
> Good summaries to send to anyone joining the party late:
>
> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
> https://access.redhat.com/articles/1200223
>
>
> The shellshock/badbash vuln now has a zero-day exploiting 2014-6271:
>
> https://twitter.com/yinettesys/status/515012126268604416
> http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
> https://gist.github.com/anonymous/929d622f3b36b00c0be1
> https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/
>
>
> Rules for original vuln:
>
> Snort: https://www.snort.org/advisories/vrt-rules-2014-09-24
> Bro: https://github.com/CriticalStack/bro-scripts
>
>
> Current fix incomplete, new CVE is CVE-2014-7169:
>
> https://twitter.com/taviso/statuses/514887394294652929
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
> http://www.openwall.com/lists/oss-security/2014/09/24/32 [and responses]
>
>
> Patch for incomplete patch:
>
> http://www.openwall.com/lists/oss-security/2014/09/25/10
>
>
> Metasploit module for original vuln:
>
> https://github.com/rapid7/metasploit-framework/commit/ff5398bf3f46c057666f7a3d0afaf4c0d6912575
>
>
> Some busybox may also be affected:
>
> https://twitter.com/dakami/status/514972098368794625
>
>
> Informative new posts:
>
> https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271
> http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
>
>
> Robert Graham's masscan of just the default page by IP (so a lower bound)
> is here, but actually aborted and he'll be re-running:
>
> http://blog.erratasec.com/
>
>
> Exploit possibilities walkthrough, including fetching results:
>
> https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
>
>
> Tester (not complete; should spider entire site):
>
> http://check.shellshock.info/
>
>
> Landscape of obvious targets:
>
> https://www.google.com/search?q=filetype%3Ash+inurl%3Acgi-bin
>
>
> Funniest one-liner so far:
>
> https://twitter.com/koizuka/status/515098006895349760
> Akihiko Koizuka ‏@koizuka 2h
> () { :;}; /usr/bin/eject

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Sep 26 13:34:00 2014