Page 1 of 6

Shellshock

Posted: Thu Sep 25, 2014 8:56 am
by pentium
Now that the word is out about this absolutely massive bash exploit, should any of us folks still running Irix machines on the net be at all concerned?

An article on it.

Re: Shellshock

Posted: Thu Sep 25, 2014 9:59 am
by duck
Only on two cases:

The specific: If you use a bash script for CGI
The general: If you've replaced /bin/sh with bash

I'll add that the exploit-tests I've seen in my logs are using ping to test if it works; ours is in /usr/etc and AIUI that's not in the default path so even if you're vulnerable it wouldn't trigger the scriptkiddies at least.

Re: Shellshock

Posted: Thu Sep 25, 2014 1:58 pm
by ClassicHasClass
You're more cooked if you're on a system where /bin/sh == /bin/bash. OS X is such a system. I quickly built a standalone bash for 10.4+ PPC/Intel if you want one of those.

http://tenfourfox.blogspot.com/2014/09/ ... -bash.html

But I think IRIX is very low risk.

Shellshock Bash bug?

Posted: Thu Sep 25, 2014 3:45 pm
by VenomousPinecone

Re: Shellshock

Posted: Thu Sep 25, 2014 4:06 pm
by josehill

Re: Shellshock

Posted: Thu Sep 25, 2014 4:34 pm
by foetz
good thing i never liked bash :P

Re: Shellshock

Posted: Thu Sep 25, 2014 5:59 pm
by ClassicHasClass

Re: Shellshock

Posted: Thu Sep 25, 2014 8:19 pm
by SAQ
Why'd they start replacing /bin/sh with BASH anyway? Sun went into depth as to why that was not a good idea (and better to have a static /bin/sh), and it's not like sh added too much bloat to the system.

Re: Shellshock

Posted: Thu Sep 25, 2014 8:45 pm
by hamei
SAQ wrote:Why'd they start replacing /bin/sh with BASH anyway?

Heathen ! get thee hence, thou Unbeliever !

Re: Shellshock

Posted: Thu Sep 25, 2014 8:58 pm
by josehill
SAQ wrote:Why'd they start replacing /bin/sh with BASH anyway? Sun went into depth as to why that was not a good idea (and better to have a static /bin/sh), and it's not like sh added too much bloat to the system.

What are you, some sort of graybeard who knows things and stuff? ;)

Re: Shellshock

Posted: Thu Sep 25, 2014 10:36 pm
by ClassicHasClass
Second patch seems to pass muster:

http://seclists.org/oss-sec/2014/q3/734

I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html

Re: Shellshock

Posted: Fri Sep 26, 2014 6:03 am
by josehill
ClassicHasClass wrote:I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html

Thanks, CHC! I'll load it on some machines today!

Re: Shellshock

Posted: Fri Sep 26, 2014 6:03 am
by robespierre

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh


fuggeddaboutit....

Re: Shellshock

Posted: Fri Sep 26, 2014 10:04 am
by duck
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh


fuggeddaboutit....


On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.

Re: Shellshock

Posted: Fri Sep 26, 2014 11:11 am
by VenomousPinecone
duck wrote:[...]since they first licked a beige box.


Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.