Posted on 09/25/2014 12:57:00 PM PDT by servo1969
Remember Heartbleed? Well, this is probably worse. Here's a (somewhat simplified) explanation of what Shellshock actually is. Don't worry: I haven't included instructions on how to actually exploit it. The moral of the story is: keep your security patches up to date!
(Excerpt) Read more at youtube.com ...
“Worse” is subjective. It’s a more severe bug when it’s exploited, however being able to exploit it is more difficult.
In any event, “keep up with security patches” is always good advice.
Ping
25 years this was possible, and they just find it. Talking about patching everything is going to be difficult, if not impossible, considering all of the embedded systems out there.
The good news is that most embedded systems don’t use Bash, they use something smaller like ash, dash, BusyBox, etc.
You mean like this?
prompt$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"It's no secret how to exploit it. It's freakin' TRIVIAL to exploit it. But first, you have to get to it. That's the hard part.
This is a tempest in a teapot. No less a tempest, but this is a LOT harder to arrange to exploit than HeartBleed.
I'm a System Admin with a few hundred servers and workstations to patch -- it's a nightmare. That's my job...
But meanwhile, the freakin' technology twats writing these headlines sound like the world is ending. It's not. They're just pimping for webpage hits.
You want to know where the world is ending, look up the news on Ebola...
Being a dinosaur who gave-up with keeping-up with tech, I enjoy hitting these threads....it’s like those ‘English as a Second Language’ courses for us old phocks.....I try to learn sumpin, but quickly realize I’m beyond the curve.
Thanks for sharing...
Just copy/paste that line at a Bash prompt and hit return. If it prints out:
vulnerablethen your Bash has the flaw. OTOH, if it prints out:
this is a test
bash: warning: x: ignoring function definition attemptthen your Bash is safe from this bug.
bash: error importing function definition for `x'
this is a test
... Minus the “prompt$” part, of course. That represents the shell prompt you’re entering the command at.
Thanks ... I suspect you’ve forgotten more about code than I’ll ever know. That said I’m thankful you’re here..
You're very welcome, FRiend, and thank -you- for the kind words.
Fact is, I've been at this for 44 years now and have forgotten more about code than -I- ever knew, too. :)
I patched 114 various distributions of Linux systems for this bug and ran that same test today, but I changed the “this is a test part” to “System is not vulnerable.” Too bad I didn’t already have Chef configured... One of these days...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.