http://www.bbc.co.uk/news/technology-29361794

In article om,
Dennis@home wrote:

Subject: Make sure you update linux and ios!

I think you mean MacOS.

Unless your computer provides some service available across the
internet, such as a web server, there is no urgency.

Also, don't connect to any unknown wi-fi access points, but you
weren't going to do that anyway.

-- Richard

On 25/09/14 20:04, Richard Tobin wrote:
In article om,
Dennis@home wrote:

Subject: Make sure you update linux and ios!

I think you mean MacOS.

Unless your computer provides some service available across the
internet, such as a web server, there is no urgency.

Also, don't connect to any unknown wi-fi access points, but you
weren't going to do that anyway.

-- Richard


and here's the test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that prints "vulnerable" your bash is buggy.


But the first question is: do hackers have a method to exploit on your
systems?

In message , Tim Watts
writes
But the first question is: do hackers have a method to exploit on your
systems?

No, my first question is: If I have a Linux based router, does bash
exist in it, and could someone use this to get inside it?
Second question is where do I look for a patch if I need one? Nothing
appeared in Mint today when I ran System Update.

I only do "stupid person" questions.
--
Bill

Bill wrote:

No, my first question is: If I have a Linux based router, does bash
exist in it

Usually such routers use busybox instead of bash, I doubt that busybox
provides bug-for-bug compatibility in cases like this (not that I've
checked).

and could someone use this to get inside it?
Second question is where do I look for a patch if I need one? Nothing
appeared in Mint today when I ran System Update.

Oh, you mean a self installed distro installed as a router, rather than
a flash based openWRT type? almost certain you will have bash, but
something needs remotely exploitable way to set a "hooky" environment
variable before spawning out to something innocent ... still waiting for
centOS to release fixes :-(

En el artículo , Andy
Burns escribió:

still waiting for
centOS to release fixes :-(

Patched all our CentOS systems today, from v5.10 to v6.5

hint: 'yum -q update bash'

--
(\_/)
(='.'=)
(")_(")

In message , Andy
Burns writes
Bill wrote:

No, my first question is: If I have a Linux based router, does bash
exist in it

Usually such routers use busybox instead of bash, I doubt that busybox
provides bug-for-bug compatibility in cases like this (not that I've
checked).

and could someone use this to get inside it?
Second question is where do I look for a patch if I need one? Nothing
appeared in Mint today when I ran System Update.

Oh, you mean a self installed distro installed as a router, rather than
a flash based openWRT type? almost certain you will have bash, but
something needs remotely exploitable way to set a "hooky" environment
variable before spawning out to something innocent ... still waiting
for centOS to release fixes :-(

No, sorry to be unclear. I meant is a standalone router vulnerable, and
separately is Mint vulnerabl?.

For the record, I ran the gui check for updates procedure yesterday and
updated. I have just run the test code as referred to here and it prints
vulnerable
This is a test.

I am a complete idiot running Mint, CentOS and Ubuntu on various
machines here. There will be others as dumb as me. I assume I have to
work out how to patch Mint independently of the normal update procedure.
--
Bill

On 25/09/14 20:39, Bill wrote:
In message , Tim Watts
writes
But the first question is: do hackers have a method to exploit on your
systems?

No, my first question is: If I have a Linux based router, does bash
exist in it, and could someone use this to get inside it?
Second question is where do I look for a patch if I need one? Nothing
appeared in Mint today when I ran System Update.

its just appeared on mine.


I only do "stupid person" questions.


--
Everything you read in newspapers is absolutely true, except for the
rare story of which you happen to have first-hand knowledge. €“ Erwin Knoll

In article ,
Tim Watts wrote:
On 25/09/14 20:04, Richard Tobin wrote:
In article om,
Dennis@home wrote:

Subject: Make sure you update linux and ios!

I think you mean MacOS.

Unless your computer provides some service available across the
internet, such as a web server, there is no urgency.

Also, don't connect to any unknown wi-fi access points, but you
weren't going to do that anyway.

-- Richard


and here's the test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that prints "vulnerable" your bash is buggy.


But the first question is: do hackers have a method to exploit on your
systems?

Yes. They're already trying. I've seen lots of intersting 'tests'
so-far. e.g. trying to run the eject command - I'm sure some syadmins
are going to find racks of servers with CD/DVD's wide open soon...

Gordon

On 25/09/14 22:17, Gordon Henderson wrote:
In article ,
Tim Watts wrote:
On 25/09/14 20:04, Richard Tobin wrote:
In article om,
Dennis@home wrote:

Subject: Make sure you update linux and ios!

I think you mean MacOS.

Unless your computer provides some service available across the
internet, such as a web server, there is no urgency.

Also, don't connect to any unknown wi-fi access points, but you
weren't going to do that anyway.

-- Richard


and here's the test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that prints "vulnerable" your bash is buggy.


But the first question is: do hackers have a method to exploit on your
systems?

Yes. They're already trying. I've seen lots of intersting 'tests'
so-far. e.g. trying to run the eject command - I'm sure some syadmins
are going to find racks of servers with CD/DVD's wide open soon...

Gordon


I have 100 odd webservers - I have disabled mod_cgi* for tonight.


Nagios is not over screamy (odd service down). We don't have much CGI,
mod_php is supposed to not be trivially vulnerable. Most of the systems
we have are either tomcat or django, but the latter uses mod_wsgi and I
am a little worried about that - need to construct some tests.

I'm not one for be over panicky but if something can be done quickly and
easily to mitigate, I will.

I think in reality it's going to need a peculiar combinations of factors
and attacks to yield fruit. If you think about it, the "worst" they can
do on the surface is run a shell as the web user on your system. The
question then is: "how much does that matter?"

In a world of reasonably written web apps that are installed correctly
(ie not self-writable script directories) that do not have sensitive
data, that might get a DOS at worst or leak some boring stuff.

However, a long long time ago, we had one somewhere I used to work at
exactly the same time the ptrace bug came out - that web server got
rooted. Very unlucky... So really bad things are not totally impossible.

Tim Watts wrote:

I have 100 odd webservers - I have disabled mod_cgi* for tonight.
Nagios is not over screamy (odd service down). We don't have much CGI,
mod_php is supposed to not be trivially vulnerable.

grepping the last few days access_log for "()" and ":;" only turned up
three hits ... one looks whitehat probed us twice, its user agent refers to

http://blog.erratasec.com/2014/09/ba...-internet.html

another one is a bit less open about what it's doing and who's behind
it, but still only seems to be trying to build a list of pings from
vulnerable servers, rather than actually exploiting anything.

I don't know if our servers did ping them back or not, but they're
patched now, technique seems to be bung the () { :; } function into
various HTTP headers hoping they'll end up in environment variables and
then some CGI etc spawns a shell ...

On 25/09/2014 23:10, Tim Watts wrote:
On 25/09/14 22:17, Gordon Henderson wrote:
In article ,
Tim Watts wrote:
On 25/09/14 20:04, Richard Tobin wrote:
In article om,
Dennis@home wrote:

Subject: Make sure you update linux and ios!

I think you mean MacOS.

Unless your computer provides some service available across the
internet, such as a web server, there is no urgency.

Also, don't connect to any unknown wi-fi access points, but you
weren't going to do that anyway.

-- Richard


and here's the test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that prints "vulnerable" your bash is buggy.


But the first question is: do hackers have a method to exploit on your
systems?

Yes. They're already trying. I've seen lots of intersting 'tests'
so-far. e.g. trying to run the eject command - I'm sure some syadmins
are going to find racks of servers with CD/DVD's wide open soon...

Gordon


I have 100 odd webservers - I have disabled mod_cgi* for tonight.


Nagios is not over screamy (odd service down). We don't have much CGI,
mod_php is supposed to not be trivially vulnerable. Most of the systems
we have are either tomcat or django, but the latter uses mod_wsgi and I
am a little worried about that - need to construct some tests.

I'm not one for be over panicky but if something can be done quickly and
easily to mitigate, I will.

I think in reality it's going to need a peculiar combinations of factors
and attacks to yield fruit. If you think about it, the "worst" they can
do on the surface is run a shell as the web user on your system. The
question then is: "how much does that matter?"

If you make sure your apache and tomcat run in a nicely "jailed"
environment, then you limit the damage that can be done quite a bit.



--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On Thu, 25 Sep 2014 20:19:45 +0100, Tim Watts wrote:

On 25/09/14 20:04, Richard Tobin wrote:
In article om,
Dennis@home wrote:

Subject: Make sure you update linux and ios!

I think you mean MacOS.

Unless your computer provides some service available across the
internet, such as a web server, there is no urgency.

Also, don't connect to any unknown wi-fi access points, but you weren't
going to do that anyway.

-- Richard


and here's the test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that prints "vulnerable" your bash is buggy.

Result of the above code is:-
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

My openSUSE systems were patched yesterday, the 24th.

But the first question is: do hackers have a method to exploit on your
systems?

--
openSUSE 13.1 64-bit

On 25/09/14 22:43, J.B.Treadstone wrote:

Result of the above code is:-
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

My openSUSE systems were patched yesterday, the 24th.

Debian 7 is fine today too.


But the first question is: do hackers have a method to exploit on your
systems?



Bit annoyed that I have to go to the LTS repos for debian 6...

On Thursday, September 25, 2014 8:19:45 PM UTC+1, Tim Watts wrote:
On 25/09/14 20:04, Richard Tobin wrote:

In article om,

Dennis@home wrote:



Subject: Make sure you update linux and ios!



I think you mean MacOS.



Unless your computer provides some service available across the

internet, such as a web server, there is no urgency.



Also, don't connect to any unknown wi-fi access points, but you

weren't going to do that anyway.



-- Richard





and here's the test:



env x='() { :;}; echo vulnerable' bash -c "echo this is a test"



If that prints "vulnerable" your bash is buggy.

Oops.
Debian: 'We recommend that you upgrade your bash packages.'
Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this?


NT

On 26/09/14 00:03, wrote:

Oops.
Debian: 'We recommend that you upgrade your bash packages.'
Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this?


NT


dpkg-query -l libc6

The versions a

4.0 2.3.6.ds1-13etch10+b1
5.0 2.7-18lenny7
6.0 2.11.3-4
7.0 2.13-38+deb7u1


That should give you a rough idea when yours was cut from...

On Friday, September 26, 2014 9:03:14 AM UTC+1, Tim Watts wrote:
On 26/09/14 00:03, wrote:

Oops.
Debian: 'We recommend that you upgrade your bash packages.'
Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this?

dpkg-query -l libc6
The versions a
4.0 2.3.6.ds1-13etch10+b1
5.0 2.7-18lenny7
6.0 2.11.3-4
7.0 2.13-38+deb7u1
That should give you a rough idea when yours was cut from...

2.13-21 so presumably 7. Thank you.


NT

On Friday, September 26, 2014 9:03:14 AM UTC+1, Tim Watts wrote:
On 26/09/14 00:03, wrote:

Oops.
Debian: 'We recommend that you upgrade your bash packages.'
Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this?

dpkg-query -l libc6
The versions a
4.0 2.3.6.ds1-13etch10+b1
5.0 2.7-18lenny7
6.0 2.11.3-4
7.0 2.13-38+deb7u1
That should give you a rough idea when yours was cut from...

wget http://ftp.debian.org/debian/pool/main/b/bash/bash_4.3-9.1_$(dpkg --print-architecture).deb
saved a 1.1M file. But where I haven't a clue. Its frustrating, I knew win98 well, now I know sod all about linux.


NT

On 26/09/2014 09:03, Tim Watts wrote:
On 26/09/14 00:03, wrote:

Oops.
Debian: 'We recommend that you upgrade your bash packages.'
Yes, but how on debian based avlinux? Synaptic package manager doesn't
show anything of interest, and avlinux info seems pretty much
nonexistent. How to determine the version of debian on this?


NT


dpkg-query -l libc6

The versions a

4.0 2.3.6.ds1-13etch10+b1
5.0 2.7-18lenny7
6.0 2.11.3-4
7.0 2.13-38+deb7u1


That should give you a rough idea when yours was cut from...


Its all very well knowing its been patched but..

Its like the ssh none random random bits, you may have been compromised
before you patched the system. The patch does nothing to detect such
compromises and the average user won't have a clue.

Just what should an inexperienced linux user do to check?
A windows user can boot a rescue disk and scan for viruses, etc., what's
the equivalent for linux?

On 25/09/14 19:34, Dennis@home wrote:
http://www.bbc.co.uk/news/technology-29361794

assuming your system actually uses bash by default rather than dash.


--
Everything you read in newspapers is absolutely true, except for the
rare story of which you happen to have first-hand knowledge. €“ Erwin Knoll