Shellshock
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
Shellshock
Now that the word is out about this absolutely massive bash exploit, should any of us folks still running Irix machines on the net be at all concerned?
An article on it.
An article on it.






















Re: Shellshock
Only on two cases:
The specific: If you use a bash script for CGI
The general: If you've replaced /bin/sh with bash
I'll add that the exploit-tests I've seen in my logs are using ping to test if it works; ours is in /usr/etc and AIUI that's not in the default path so even if you're vulnerable it wouldn't trigger the scriptkiddies at least.
The specific: If you use a bash script for CGI
The general: If you've replaced /bin/sh with bash
I'll add that the exploit-tests I've seen in my logs are using ping to test if it works; ours is in /usr/etc and AIUI that's not in the default path so even if you're vulnerable it wouldn't trigger the scriptkiddies at least.
Code: Select all
___(o)=
\____)
- ClassicHasClass
- Donor
- Posts: 2189
- Joined: Wed Jul 25, 2012 7:12 pm
- Location: Sunny So Cal
- Contact:
Re: Shellshock
You're more cooked if you're on a system where /bin/sh == /bin/bash. OS X is such a system. I quickly built a standalone bash for 10.4+ PPC/Intel if you want one of those.
http://tenfourfox.blogspot.com/2014/09/ ... -bash.html
But I think IRIX is very low risk.
http://tenfourfox.blogspot.com/2014/09/ ... -bash.html
But I think IRIX is very low risk.
smit happens.
bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
purplehaze, 175MHz R10000, Solid IMPACT
probably posted from
bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...



probably posted from

plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...
- VenomousPinecone
- Posts: 2180
- Joined: Mon Jun 20, 2005 2:10 pm
- Location: Groom Lake, NV
Shellshock Bash bug?
Is your body^H^H^H^H mac ready?
https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html
http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/
https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html
http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/
- Attachments
-
- Screen Shot 2014-09-25 at 3.37.27 PM.png (19.21 KiB) Viewed 2027 times
Re: Shellshock
Some additional perspective here - http://www.infoworld.com/article/268787 ... thedeepend
Re: Shellshock
good thing i never liked bash 

- ClassicHasClass
- Donor
- Posts: 2189
- Joined: Wed Jul 25, 2012 7:12 pm
- Location: Sunny So Cal
- Contact:
Re: Shellshock
Vulnerability not fully fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23
https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23
smit happens.
bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
purplehaze, 175MHz R10000, Solid IMPACT
probably posted from
bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...



probably posted from

plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...
Re: Shellshock
Why'd they start replacing /bin/sh with BASH anyway? Sun went into depth as to why that was not a good idea (and better to have a static /bin/sh), and it's not like sh added too much bloat to the system.
"Brakes??? What Brakes???"
"I am O SH-- the Great and Powerful"
(single-CM)
"I am O SH-- the Great and Powerful"









Re: Shellshock
SAQ wrote:Why'd they start replacing /bin/sh with BASH anyway?
Heathen ! get thee hence, thou Unbeliever !
2 + 2 = 5
Re: Shellshock
SAQ wrote:Why'd they start replacing /bin/sh with BASH anyway? Sun went into depth as to why that was not a good idea (and better to have a static /bin/sh), and it's not like sh added too much bloat to the system.
What are you, some sort of graybeard who knows things and stuff?

- ClassicHasClass
- Donor
- Posts: 2189
- Joined: Wed Jul 25, 2012 7:12 pm
- Location: Sunny So Cal
- Contact:
Re: Shellshock
Second patch seems to pass muster:
http://seclists.org/oss-sec/2014/q3/734
I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html
http://seclists.org/oss-sec/2014/q3/734
I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html
smit happens.
bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
purplehaze, 175MHz R10000, Solid IMPACT
probably posted from
bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...



probably posted from

plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...
Re: Shellshock
ClassicHasClass wrote:I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html
Thanks, CHC! I'll load it on some machines today!
-
- Posts: 1667
- Joined: Mon Sep 12, 2011 2:28 pm
- Location: Boston
Re: Shellshock
robespierre wrote:Code: Select all
$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh
fuggeddaboutit....
On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.
Code: Select all
___(o)=
\____)
- VenomousPinecone
- Posts: 2180
- Joined: Mon Jun 20, 2005 2:10 pm
- Location: Groom Lake, NV
Re: Shellshock
duck wrote:[...]since they first licked a beige box.
Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.
Who is online
Users browsing this forum: No registered users and 1 guest