Marketplace (NPR) did a rather bogus piece on shellshock guaranteed to promote all kinds of hysteria which is likely one of many to come so any *x types should be prepared to fend off anxious questions from passers by ;-)
> On Sep 26, 2014, at 1:33 PM, Mike <barjunk@attglobal.net> wrote:
>
> Royce,
>
> Thanks for covering this...I was going to post something later this evening.
>
> You have saved me the trouble!
>
> Looks easy enough to patch.
>
> I'd like to also talk about the access vectors.
>
> It looks like only shelling into the box exposes this particular remote exploit.
>
> Are there other avenues of access?
>
> Mike B.
> Quoting Royce Williams <royce@tycho.org>:
>
>> [I wrote this for another list, forwarding in case it's useful]
>>
>>
>> Flurry of updates, in very rough order of importance/interestingness:
>>
>> Good summaries to send to anyone joining the party late:
>>
>> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
>> https://access.redhat.com/articles/1200223
>>
>>
>> The shellshock/badbash vuln now has a zero-day exploiting 2014-6271:
>>
>> https://twitter.com/yinettesys/status/515012126268604416
>> http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
>> https://gist.github.com/anonymous/929d622f3b36b00c0be1
>> https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/
>>
>>
>> Rules for original vuln:
>>
>> Snort: https://www.snort.org/advisories/vrt-rules-2014-09-24
>> Bro: https://github.com/CriticalStack/bro-scripts
>>
>>
>> Current fix incomplete, new CVE is CVE-2014-7169:
>>
>> https://twitter.com/taviso/statuses/514887394294652929
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
>> http://www.openwall.com/lists/oss-security/2014/09/24/32 [and responses]
>>
>>
>> Patch for incomplete patch:
>>
>> http://www.openwall.com/lists/oss-security/2014/09/25/10
>>
>>
>> Metasploit module for original vuln:
>>
>> https://github.com/rapid7/metasploit-framework/commit/ff5398bf3f46c057666f7a3d0afaf4c0d6912575
>>
>>
>> Some busybox may also be affected:
>>
>> https://twitter.com/dakami/status/514972098368794625
>>
>>
>> Informative new posts:
>>
>> https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271
>> http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
>>
>>
>> Robert Graham's masscan of just the default page by IP (so a lower bound)
>> is here, but actually aborted and he'll be re-running:
>>
>> http://blog.erratasec.com/
>>
>>
>> Exploit possibilities walkthrough, including fetching results:
>>
>> https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
>>
>>
>> Tester (not complete; should spider entire site):
>>
>> http://check.shellshock.info/
>>
>>
>> Landscape of obvious targets:
>>
>> https://www.google.com/search?q=filetype%3Ash+inurl%3Acgi-bin
>>
>>
>> Funniest one-liner so far:
>>
>> https://twitter.com/koizuka/status/515098006895349760
>> Akihiko Koizuka @koizuka 2h
>> () { :;}; /usr/bin/eject
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Sep 26 14:23:53 2014
This archive was generated by hypermail 2.1.8 : Fri Sep 26 2014 - 14:23:53 AKDT