Linux bash exploit discovered

[Josh]

[mwb1100]

Most of that video overstayed its welcome, but the bit at 0:25-0:32 is priceless.

[Deozaan]

Why are they all pronouncing it "lye nucks"?

[Innuendo]

Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details."

-mouser (September 24, 2014, 07:36 PM)

The way my mind works sometimes concerns me. The first thing that came to mind when I read this was why does Akamai have to worry about the wife approval factor when patching exploits?

[ewemoa]

Regarding the plausibility of Fedora switching the system shell from bash (e.g. to dash), the following tidbit came up:

I switched a Fedora box to using dash as /bin/sh, and so far have only
logged one bug for something that broke, and it pretty much deserved
to break (BZ #1146733).

via http://www.openwall.com/lists/oss-security/2014/09/28/9

No idea whether that's typical...but note that the author may be an employee of RedHat.

[lanux128]

i believe this has something to do with this post so i'll just leave this here.


• http://www.intelliad...ity-to-look-out-for/

[rgdot]

Update provided on Mint (bash 4.2-2Ubuntu2.3--->4.2-2Ubuntu2.5 ) fixes it as far as I can see, the tests quoted in this thread that showed vulnerable no longer do for me

[ewemoa]

There is a Wikipedia page now:

  https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

One of the sections is "Reported Vulnerabilities", under which there are 5 things listed so far.


The "DHCP Proof of concept Shellshock exploit" link that lanux128 posted alluded to definitely increased motivation around here to patch more machines -- though it looks like more patching may be necessary before long.

[ewemoa]

A git repository with code to check for the originally reported vulnerability and (some of the?) subsequently revealed(?) ones...

test script for shellshocker and related vulnerabilities

The Bash vulnerability that is now known as shellshock had an incomplete fix at first. There are currently 4 public and one supposedly non-public vulnerability.

via https://github.com/hannob/bashcheck