BASH: Shellshock? Turtle Power?


  • Senior Developer

    All,

    I’m sure many of you have already seen or heard about this, but I feel obligated to just inform you all.

    [url]http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/[/url]

    Shell shock is a pretty significant “bug” that I think is quite more severe than the simple label of a “bug” but rather a very large shortcoming.

    Seeing as many of us are using FOG on linux servers, and a few of us are actually using our fog servers across the internet, I think it would behoove all of us to run our relevant update managers if only for this patch to be received.


  • Developer

    also, from the article, you can test with this
    [CODE]env X="() { :;} ; echo busted" /bin/sh -c “echo completed”
    env X="() { :;} ; echo busted" which bash -c “echo completed”[/CODE]
    or
    [CODE]wget -U “() { test;};/usr/bin/touch /tmp/VULNERABLE” myserver/cgi-bin/test[/CODE]


  • Developer

    Anyone worried about this can run this one liner to see if you are vulnerable or not.

    Run this from a linux/osx box:

    (replace 1.2.3. with your subnet)

    for i in $(seq 1 253);do echo 1.2.3.$i;curl -s [url]http://www.globalshellshock.com/?search=1.2.3.$i|grep[/url] -B5 “Global Shellshock - The”|grep center;done

    It’s a little messy, but it does what it needs to do. Keep your eye out for a line that says “VULNERABLE” rather than “NOT VULNERABLE”.

    i.e. if your subnet is 255.255.0.0 then for 1.2.3. you would place 255.255.0.


 

490
Online

5.4k
Users

12.6k
Topics

118.9k
Posts