Shellshock

pentium · Unread postby **pentium** » Thu Sep 25, 2014 8:56 am

Now that the word is out about this absolutely massive bash exploit, should any of us folks still running Irix machines on the net be at all concerned?

An article on it.

Unread postby **duck** » Thu Sep 25, 2014 9:59 am

Only on two cases:

The specific: If you use a bash script for CGI
The general: If you've replaced /bin/sh with bash

I'll add that the exploit-tests I've seen in my logs are using ping to test if it works; ours is in /usr/etc and AIUI that's not in the default path so even if you're vulnerable it wouldn't trigger the scriptkiddies at least.

Unread postby **ClassicHasClass** » Thu Sep 25, 2014 1:58 pm

You're more cooked if you're on a system where /bin/sh == /bin/bash. OS X is such a system. I quickly built a standalone bash for 10.4+ PPC/Intel if you want one of those.

http://tenfourfox.blogspot.com/2014/09/ ... -bash.html

But I think IRIX is very low risk.

VenomousPinecone · Unread postby **VenomousPinecone** » Thu Sep 25, 2014 3:45 pm

Is your body^H^H^H^H mac ready?

https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html
http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/

Unread postby **josehill** » Thu Sep 25, 2014 4:06 pm

Some additional perspective here - http://www.infoworld.com/article/268787 ... thedeepend

Unread postby **foetz** » Thu Sep 25, 2014 4:34 pm

good thing i never liked bash

Unread postby **ClassicHasClass** » Thu Sep 25, 2014 5:59 pm

Vulnerability not fully fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

SAQ · Unread postby **SAQ** » Thu Sep 25, 2014 8:19 pm

Why'd they start replacing /bin/sh with BASH anyway? Sun went into depth as to why that was not a good idea (and better to have a static /bin/sh), and it's not like sh added too much bloat to the system.

hamei · Unread postby **hamei** » Thu Sep 25, 2014 8:45 pm

SAQ wrote:Why'd they start replacing /bin/sh with BASH anyway?

Heathen ! get thee hence, thou Unbeliever !

Unread postby **josehill** » Thu Sep 25, 2014 8:58 pm

SAQ wrote:Why'd they start replacing /bin/sh with BASH anyway? Sun went into depth as to why that was not a good idea (and better to have a static /bin/sh), and it's not like sh added too much bloat to the system.

What are you, some sort of graybeard who knows things and stuff?

Unread postby **ClassicHasClass** » Thu Sep 25, 2014 10:36 pm

Second patch seems to pass muster:

http://seclists.org/oss-sec/2014/q3/734

I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html

Unread postby **josehill** » Fri Sep 26, 2014 6:03 am

ClassicHasClass wrote:I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html

Thanks, CHC! I'll load it on some machines today!

robespierre · Unread postby **robespierre** » Fri Sep 26, 2014 6:03 am

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh

fuggeddaboutit....

Unread postby **duck** » Fri Sep 26, 2014 10:04 am

robespierre wrote:
Code: Select all
$ sudo -s # chmod -x /bin/bash # ln -f /bin/ksh /bin/sh

fuggeddaboutit....

On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.

VenomousPinecone · Unread postby **VenomousPinecone** » Fri Sep 26, 2014 11:11 am

duck wrote:[...]since they first licked a beige box.

Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.

Nekochan Net

Shellshock

Shellshock

Re: Shellshock

Re: Shellshock

Shellshock Bash bug?

Re: Shellshock

Re: Shellshock

Re: Shellshock

Re: Shellshock

Re: Shellshock

Re: Shellshock

Re: Shellshock

Re: Shellshock

Re: Shellshock

Re: Shellshock

Re: Shellshock

Who is online