BASH: Shellshock? Turtle Power?


  • Senior Developer

    All,

    I’m sure many of you have already seen or heard about this, but I feel obligated to just inform you all.

    [url]http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/[/url]

    Shell shock is a pretty significant “bug” that I think is quite more severe than the simple label of a “bug” but rather a very large shortcoming.

    Seeing as many of us are using FOG on linux servers, and a few of us are actually using our fog servers across the internet, I think it would behoove all of us to run our relevant update managers if only for this patch to be received.


  • Developer

    also, from the article, you can test with this
    [CODE]env X="() { :;} ; echo busted" /bin/sh -c “echo completed"
    env X=”() { :;} ; echo busted" which bash -c “echo completed”[/CODE]
    or
    [CODE]wget -U “() { test;};/usr/bin/touch /tmp/VULNERABLE” myserver/cgi-bin/test[/CODE]


  • Developer

    Anyone worried about this can run this one liner to see if you are vulnerable or not.

    Run this from a linux/osx box:

    (replace 1.2.3. with your subnet)

    for i in $(seq 1 253);do echo 1.2.3.$i;curl -s [url]http://www.globalshellshock.com/?search=1.2.3.$i|grep[/url] -B5 “Global Shellshock - The”|grep center;done

    It’s a little messy, but it does what it needs to do. Keep your eye out for a line that says “VULNERABLE” rather than “NOT VULNERABLE”.

    i.e. if your subnet is 255.255.0.0 then for 1.2.3. you would place 255.255.0.


Log in to reply
 

401
Online

39.3k
Users

11.0k
Topics

104.5k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.