Home |
Search |
Today's Posts |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
|
#1
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
|
#2
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
In article om,
Dennis@home wrote: Subject: Make sure you update linux and ios! I think you mean MacOS. Unless your computer provides some service available across the internet, such as a web server, there is no urgency. Also, don't connect to any unknown wi-fi access points, but you weren't going to do that anyway. -- Richard |
#3
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On 25/09/14 20:04, Richard Tobin wrote:
In article om, Dennis@home wrote: Subject: Make sure you update linux and ios! I think you mean MacOS. Unless your computer provides some service available across the internet, such as a web server, there is no urgency. Also, don't connect to any unknown wi-fi access points, but you weren't going to do that anyway. -- Richard and here's the test: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If that prints "vulnerable" your bash is buggy. But the first question is: do hackers have a method to exploit on your systems? |
#4
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
In message , Tim Watts
writes But the first question is: do hackers have a method to exploit on your systems? No, my first question is: If I have a Linux based router, does bash exist in it, and could someone use this to get inside it? Second question is where do I look for a patch if I need one? Nothing appeared in Mint today when I ran System Update. I only do "stupid person" questions. -- Bill |
#5
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
Bill wrote:
No, my first question is: If I have a Linux based router, does bash exist in it Usually such routers use busybox instead of bash, I doubt that busybox provides bug-for-bug compatibility in cases like this (not that I've checked). and could someone use this to get inside it? Second question is where do I look for a patch if I need one? Nothing appeared in Mint today when I ran System Update. Oh, you mean a self installed distro installed as a router, rather than a flash based openWRT type? almost certain you will have bash, but something needs remotely exploitable way to set a "hooky" environment variable before spawning out to something innocent ... still waiting for centOS to release fixes :-( |
#6
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
En el artículo , Andy
Burns escribió: still waiting for centOS to release fixes :-( Patched all our CentOS systems today, from v5.10 to v6.5 hint: 'yum -q update bash' -- (\_/) (='.'=) (")_(") |
#7
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
In message , Andy
Burns writes Bill wrote: No, my first question is: If I have a Linux based router, does bash exist in it Usually such routers use busybox instead of bash, I doubt that busybox provides bug-for-bug compatibility in cases like this (not that I've checked). and could someone use this to get inside it? Second question is where do I look for a patch if I need one? Nothing appeared in Mint today when I ran System Update. Oh, you mean a self installed distro installed as a router, rather than a flash based openWRT type? almost certain you will have bash, but something needs remotely exploitable way to set a "hooky" environment variable before spawning out to something innocent ... still waiting for centOS to release fixes :-( No, sorry to be unclear. I meant is a standalone router vulnerable, and separately is Mint vulnerabl?. For the record, I ran the gui check for updates procedure yesterday and updated. I have just run the test code as referred to here and it prints vulnerable This is a test. I am a complete idiot running Mint, CentOS and Ubuntu on various machines here. There will be others as dumb as me. I assume I have to work out how to patch Mint independently of the normal update procedure. -- Bill |
#8
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On 25/09/14 20:39, Bill wrote:
In message , Tim Watts writes But the first question is: do hackers have a method to exploit on your systems? No, my first question is: If I have a Linux based router, does bash exist in it, and could someone use this to get inside it? Second question is where do I look for a patch if I need one? Nothing appeared in Mint today when I ran System Update. its just appeared on mine. I only do "stupid person" questions. -- Everything you read in newspapers is absolutely true, except for the rare story of which you happen to have first-hand knowledge. €“ Erwin Knoll |
#9
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
In article ,
Tim Watts wrote: On 25/09/14 20:04, Richard Tobin wrote: In article om, Dennis@home wrote: Subject: Make sure you update linux and ios! I think you mean MacOS. Unless your computer provides some service available across the internet, such as a web server, there is no urgency. Also, don't connect to any unknown wi-fi access points, but you weren't going to do that anyway. -- Richard and here's the test: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If that prints "vulnerable" your bash is buggy. But the first question is: do hackers have a method to exploit on your systems? Yes. They're already trying. I've seen lots of intersting 'tests' so-far. e.g. trying to run the eject command - I'm sure some syadmins are going to find racks of servers with CD/DVD's wide open soon... Gordon |
#10
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On 25/09/14 22:17, Gordon Henderson wrote:
In article , Tim Watts wrote: On 25/09/14 20:04, Richard Tobin wrote: In article om, Dennis@home wrote: Subject: Make sure you update linux and ios! I think you mean MacOS. Unless your computer provides some service available across the internet, such as a web server, there is no urgency. Also, don't connect to any unknown wi-fi access points, but you weren't going to do that anyway. -- Richard and here's the test: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If that prints "vulnerable" your bash is buggy. But the first question is: do hackers have a method to exploit on your systems? Yes. They're already trying. I've seen lots of intersting 'tests' so-far. e.g. trying to run the eject command - I'm sure some syadmins are going to find racks of servers with CD/DVD's wide open soon... Gordon I have 100 odd webservers - I have disabled mod_cgi* for tonight. Nagios is not over screamy (odd service down). We don't have much CGI, mod_php is supposed to not be trivially vulnerable. Most of the systems we have are either tomcat or django, but the latter uses mod_wsgi and I am a little worried about that - need to construct some tests. I'm not one for be over panicky but if something can be done quickly and easily to mitigate, I will. I think in reality it's going to need a peculiar combinations of factors and attacks to yield fruit. If you think about it, the "worst" they can do on the surface is run a shell as the web user on your system. The question then is: "how much does that matter?" In a world of reasonably written web apps that are installed correctly (ie not self-writable script directories) that do not have sensitive data, that might get a DOS at worst or leak some boring stuff. However, a long long time ago, we had one somewhere I used to work at exactly the same time the ptrace bug came out - that web server got rooted. Very unlucky... So really bad things are not totally impossible. |
#11
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
Tim Watts wrote:
I have 100 odd webservers - I have disabled mod_cgi* for tonight. Nagios is not over screamy (odd service down). We don't have much CGI, mod_php is supposed to not be trivially vulnerable. grepping the last few days access_log for "()" and ":;" only turned up three hits ... one looks whitehat probed us twice, its user agent refers to http://blog.erratasec.com/2014/09/ba...-internet.html another one is a bit less open about what it's doing and who's behind it, but still only seems to be trying to build a list of pings from vulnerable servers, rather than actually exploiting anything. I don't know if our servers did ping them back or not, but they're patched now, technique seems to be bung the () { :; } function into various HTTP headers hoping they'll end up in environment variables and then some CGI etc spawns a shell ... |
#12
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On 25/09/2014 23:10, Tim Watts wrote:
On 25/09/14 22:17, Gordon Henderson wrote: In article , Tim Watts wrote: On 25/09/14 20:04, Richard Tobin wrote: In article om, Dennis@home wrote: Subject: Make sure you update linux and ios! I think you mean MacOS. Unless your computer provides some service available across the internet, such as a web server, there is no urgency. Also, don't connect to any unknown wi-fi access points, but you weren't going to do that anyway. -- Richard and here's the test: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If that prints "vulnerable" your bash is buggy. But the first question is: do hackers have a method to exploit on your systems? Yes. They're already trying. I've seen lots of intersting 'tests' so-far. e.g. trying to run the eject command - I'm sure some syadmins are going to find racks of servers with CD/DVD's wide open soon... Gordon I have 100 odd webservers - I have disabled mod_cgi* for tonight. Nagios is not over screamy (odd service down). We don't have much CGI, mod_php is supposed to not be trivially vulnerable. Most of the systems we have are either tomcat or django, but the latter uses mod_wsgi and I am a little worried about that - need to construct some tests. I'm not one for be over panicky but if something can be done quickly and easily to mitigate, I will. I think in reality it's going to need a peculiar combinations of factors and attacks to yield fruit. If you think about it, the "worst" they can do on the surface is run a shell as the web user on your system. The question then is: "how much does that matter?" If you make sure your apache and tomcat run in a nicely "jailed" environment, then you limit the damage that can be done quite a bit. -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#13
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On Thu, 25 Sep 2014 20:19:45 +0100, Tim Watts wrote:
On 25/09/14 20:04, Richard Tobin wrote: In article om, Dennis@home wrote: Subject: Make sure you update linux and ios! I think you mean MacOS. Unless your computer provides some service available across the internet, such as a web server, there is no urgency. Also, don't connect to any unknown wi-fi access points, but you weren't going to do that anyway. -- Richard and here's the test: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If that prints "vulnerable" your bash is buggy. Result of the above code is:- bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test My openSUSE systems were patched yesterday, the 24th. But the first question is: do hackers have a method to exploit on your systems? -- openSUSE 13.1 64-bit |
#14
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On 25/09/14 22:43, J.B.Treadstone wrote:
Result of the above code is:- bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test My openSUSE systems were patched yesterday, the 24th. Debian 7 is fine today too. But the first question is: do hackers have a method to exploit on your systems? Bit annoyed that I have to go to the LTS repos for debian 6... |
#15
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On Thursday, September 25, 2014 8:19:45 PM UTC+1, Tim Watts wrote:
On 25/09/14 20:04, Richard Tobin wrote: In article om, Dennis@home wrote: Subject: Make sure you update linux and ios! I think you mean MacOS. Unless your computer provides some service available across the internet, such as a web server, there is no urgency. Also, don't connect to any unknown wi-fi access points, but you weren't going to do that anyway. -- Richard and here's the test: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If that prints "vulnerable" your bash is buggy. Oops. Debian: 'We recommend that you upgrade your bash packages.' Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this? NT |
#16
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
|
#17
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On Friday, September 26, 2014 9:03:14 AM UTC+1, Tim Watts wrote:
On 26/09/14 00:03, wrote: Oops. Debian: 'We recommend that you upgrade your bash packages.' Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this? dpkg-query -l libc6 The versions a 4.0 2.3.6.ds1-13etch10+b1 5.0 2.7-18lenny7 6.0 2.11.3-4 7.0 2.13-38+deb7u1 That should give you a rough idea when yours was cut from... 2.13-21 so presumably 7. Thank you. NT |
#18
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On Friday, September 26, 2014 9:03:14 AM UTC+1, Tim Watts wrote:
On 26/09/14 00:03, wrote: Oops. Debian: 'We recommend that you upgrade your bash packages.' Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this? dpkg-query -l libc6 The versions a 4.0 2.3.6.ds1-13etch10+b1 5.0 2.7-18lenny7 6.0 2.11.3-4 7.0 2.13-38+deb7u1 That should give you a rough idea when yours was cut from... wget http://ftp.debian.org/debian/pool/main/b/bash/bash_4.3-9.1_$(dpkg --print-architecture).deb saved a 1.1M file. But where I haven't a clue. Its frustrating, I knew win98 well, now I know sod all about linux. NT |
#19
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On 26/09/2014 09:03, Tim Watts wrote:
On 26/09/14 00:03, wrote: Oops. Debian: 'We recommend that you upgrade your bash packages.' Yes, but how on debian based avlinux? Synaptic package manager doesn't show anything of interest, and avlinux info seems pretty much nonexistent. How to determine the version of debian on this? NT dpkg-query -l libc6 The versions a 4.0 2.3.6.ds1-13etch10+b1 5.0 2.7-18lenny7 6.0 2.11.3-4 7.0 2.13-38+deb7u1 That should give you a rough idea when yours was cut from... Its all very well knowing its been patched but.. Its like the ssh none random random bits, you may have been compromised before you patched the system. The patch does nothing to detect such compromises and the average user won't have a clue. Just what should an inexperienced linux user do to check? A windows user can boot a rescue disk and scan for viruses, etc., what's the equivalent for linux? |
#20
Posted to uk.d-i-y
|
|||
|
|||
Make sure you update linux and ios!
On 25/09/14 19:34, Dennis@home wrote:
http://www.bbc.co.uk/news/technology-29361794 assuming your system actually uses bash by default rather than dash. -- Everything you read in newspapers is absolutely true, except for the rare story of which you happen to have first-hand knowledge. €“ Erwin Knoll |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Linux Zealots Exposed. The truth behind the Linux Religion. | Home Repair | |||
Are Linux Lusers Really Displaced Locksmiths? (Foley Belsaw School of Linux Advocacy) | Home Repair | |||
Please stop this Linux crap!! You are doing NOTHING to advocate Linux | Woodworking |