Shellshock - Bash Remote Code Execution Vulnerability

本帖最後由 samiux 於 2014-10-8 00:10 編輯

The recent update/upgrade of bash did not fully fix the vulnerability Shellshock (CVE-2014-6271).  

A new CVE-2014-7169 has been assigned.  

The vulnerability - Shellshock is as serious as the Heartbleed (CVE-2014-0160).  It is not only affected Linux but also Mac OSX.  However, Apple Inc. did not response to this vulnerability until now.

There are a number of places this could be exploited :

(1) SSH - Criticality varies [Tested & Confirmed]
(2) CGI web application - High criticality [Tested & Confirmed] [Exploit in the wild]
(3) DHCP - Criticality varies [Tested & Confirmed]
(4) CUPS
(5) sudo
(6) Busybox in Android Terminal Emulator - Criticality varies [Tested & Confirmed]
(7) SIP - High criticality [Tested & Confirmed]
(8) ESX 4.0 and 4.1 as well as appliances
(9) NAS - High criticality [Exploit in the wild]
(10) Pure-FTPd - High criticality [Tested & Confirmed] [Exploit in the wild]
(11) Postfix - High criticality [Tested & Confirmed] [Exploit in the wild]

The vulnerability leads to remote code execution.  Meanwhile, a worm namely "Shellshock" is in the wild and its variants are expected coming soon.

Update

Since web server is in high criticality, a security expert created an online tool for the web server vulnerability testing - click here.

Updated on Sept 29, 2014 :

It is very interesting that more bash vulnerabilities disclosed :

CVE-2014-7186
CVE-2014-7187
CVE-2014-6277

Update on Sept 29, 2014 (2) :

If your version is either 4.2.37(1)-release (debian wheezy) or 4.3.11(1)-release (Ubuntu 14.04.1 LTS), you are not vulnerable to all the above exploits.
  1. $ bash -version
  2. GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
  3. Copyright (C) 2011 Free Software Foundation, Inc.
  4. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

  5. This is free software; you are free to change and redistribute it.
  6. There is NO WARRANTY, to the extent permitted by law.
複製代碼
Samiux

Update reason : add Update
                             add Update on Sept 29, 2014
                             add Update on Sept 29, 2014 (2)
                             add Item (7) to the place for exploitation
                             add Item (8) to the place for exploitation
                             add Item (9) to the place for exploitation & update Item (2)
                             add Item (10) to the place for exploitation
                             add Item (11) to the place for exploitation

http://www.lynda.com/articles/sh ... tm_campaign=post-IT

I'm not Linux user, but hope above link could be help

TOP

想問, 係咪放ssh出街, 又有bash都可以比人remote attack?

TOP

nginx + php-fpm 係經 fastcgi, 唔知受唔受影響

TOP

想問, 係咪放ssh出街, 又有bash都可以比人remote attack?
yawoo 發表於 2014-9-26 13:47


You can say that.  If attacker obtained the account of SSH by any means and you are vulnerable to the exploit, remote code execution occurred.

Samiux

TOP

本帖最後由 samiux 於 2014-9-26 14:40 編輯
nginx + php-fpm 係經 fastcgi, 唔知受唔受影響
rabbit82047 發表於 2014-9-26 14:29



If the web server is not running CGI, it is not vulnerable to the exploit.

If php-fpm is running socket, it is not vulnerable to the exploit.

Samiux

Update reason : more info

TOP

You can say that.  If attacker obtained the account of SSH by any means and you are vulnerable to  ...
samiux 發表於 2014-9-26 14:37


即是前題要有account login (非root) 先可以remote attack吧?

TOP

即是前題要有account login (非root) 先可以remote attack吧?
yawoo 發表於 2014-9-26 15:08



Attacker can obtain the SSH account by any means, such as by brute force or by other methods.

Samiux

TOP

Since web server is in high criticality, a security expert created an online tool for the web server vulnerability testing - please refer to the Post #1 for details.

Samiux

TOP

本帖最後由 samiux 於 2014-9-29 16:41 編輯

It is very interesting that 3 more bash vulnerabilities disclosed.  Please refer to the #1 post for details.

Samiux

TOP

相關文章