Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

Recursion

(56,582 posts)
Wed Sep 24, 2014, 11:21 PM Sep 2014

Remote exploit vulnerability in bash CVE-2014-6271

Ouch.

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some. This affects Debian as well as other Linux distributions. You will need to patch ASAP.

Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.


TL;DR: an environment variable whose value's first three characters are &quot ){" processes as a function definition and will continue to execute any commands after the end of that function definition, eg FOO=&quot ){ls}; rm -rf /home" will define the function FOO and then remove the /home tree.

Ouch.
2 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Remote exploit vulnerability in bash CVE-2014-6271 (Original Post) Recursion Sep 2014 OP
Yikes defacto7 Sep 2014 #1
The updates yesterday were incomplete... defacto7 Sep 2014 #2

defacto7

(13,617 posts)
1. Yikes
Thu Sep 25, 2014, 12:11 AM
Sep 2014

Debian put out a patch almost immediately. Update... especially servers. I did so a couple of hours ago.

defacto7

(13,617 posts)
2. The updates yesterday were incomplete...
Thu Sep 25, 2014, 10:28 PM
Sep 2014

Bash has another update today which should be utilized..

So update bash again... and hope this is a reasonable patch. Time will tell when they find out what scripts are vulnerable because it takes both bash and certain vulnerable scripts to make an exploit.

There are better links than this but it does the job:

http://www.cbc.ca/news/technology/shellshock-computer-bug-already-exploited-by-hackers-1.2777514?cmp=rss

Latest Discussions»Culture Forums»Open Source and Free Software»Remote exploit vulnerabil...