• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

BASH: Shellshock? Turtle Power?

Scheduled Pinned Locked Moved
General
3
3
1.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    Tom Elliott
    last edited by Sep 26, 2014, 9:54 AM

    All,

    I’m sure many of you have already seen or heard about this, but I feel obligated to just inform you all.

    [url]http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/[/url]

    Shell shock is a pretty significant “bug” that I think is quite more severe than the simple label of a “bug” but rather a very large shortcoming.

    Seeing as many of us are using FOG on linux servers, and a few of us are actually using our fog servers across the internet, I think it would behoove all of us to run our relevant update managers if only for this patch to be received.

    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

    1 Reply Last reply Reply Quote 0
    • J
      Jaymes Driver Developer
      last edited by Oct 7, 2014, 1:33 PM

      Anyone worried about this can run this one liner to see if you are vulnerable or not.

      Run this from a linux/osx box:

      (replace 1.2.3. with your subnet)

      for i in $(seq 1 253);do echo 1.2.3.$i;curl -s [url]http://www.globalshellshock.com/?search=1.2.3.$i|grep[/url] -B5 “Global Shellshock - The”|grep center;done

      It’s a little messy, but it does what it needs to do. Keep your eye out for a line that says “VULNERABLE” rather than “NOT VULNERABLE”.

      i.e. if your subnet is 255.255.0.0 then for 1.2.3. you would place 255.255.0.

      WARNING TO USERS: My comments are written completely devoid of emotion, do not mistake my concise to the point manner as a personal insult or attack.

      1 Reply Last reply Reply Quote 0
      • J
        Junkhacker Developer
        last edited by Oct 7, 2014, 1:57 PM

        also, from the article, you can test with this
        [CODE]env X=“() { :;} ; echo busted” /bin/sh -c “echo completed”
        env X=“() { :;} ; echo busted” which bash -c “echo completed”[/CODE]
        or
        [CODE]wget -U “() { test;};/usr/bin/touch /tmp/VULNERABLE” myserver/cgi-bin/test[/CODE]

        signature:
        Junkhacker
        We are here to help you. If you are unresponsive to our questions, don't expect us to be responsive to yours.

        1 Reply Last reply Reply Quote 0
        • 1 / 1
        1 / 1
        • First post
          3/3
          Last post

        150

        Online

        12.0k

        Users

        17.3k

        Topics

        155.2k

        Posts
        Copyright © 2012-2024 FOG Project