BASH: Shellshock? Turtle Power?
-
All,
I’m sure many of you have already seen or heard about this, but I feel obligated to just inform you all.
[url]http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/[/url]
Shell shock is a pretty significant “bug” that I think is quite more severe than the simple label of a “bug” but rather a very large shortcoming.
Seeing as many of us are using FOG on linux servers, and a few of us are actually using our fog servers across the internet, I think it would behoove all of us to run our relevant update managers if only for this patch to be received.
-
Anyone worried about this can run this one liner to see if you are vulnerable or not.
Run this from a linux/osx box:
(replace 1.2.3. with your subnet)
for i in $(seq 1 253);do echo 1.2.3.$i;curl -s [url]http://www.globalshellshock.com/?search=1.2.3.$i|grep[/url] -B5 “Global Shellshock - The”|grep center;done
It’s a little messy, but it does what it needs to do. Keep your eye out for a line that says “VULNERABLE” rather than “NOT VULNERABLE”.
i.e. if your subnet is 255.255.0.0 then for 1.2.3. you would place 255.255.0.
-
also, from the article, you can test with this
[CODE]env X=“() { :;} ; echo busted” /bin/sh -c “echo completed”
env X=“() { :;} ; echo busted”which bash-c “echo completed”[/CODE]
or
[CODE]wget -U “() { test;};/usr/bin/touch /tmp/VULNERABLE” myserver/cgi-bin/test[/CODE]
