what could be worse than heartbleed?

TCM2

Gawd
Joined
Oct 17, 2013
Messages
572
Please, this is nothing like Heartbleed. Who the hell uses bash to serve remote requests?
 

klank

Killer of Killer NIC Threadz
Joined
Aug 22, 2011
Messages
2,148
Please, this is nothing like Heartbleed. Who the hell uses bash to serve remote requests?
"The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. "
 

TCM2

Gawd
Joined
Oct 17, 2013
Messages
572
It is bad, yes, but nothing like "silently and remotely get all the memory of a server process".

Enjoy the show if you're using BSD. Otherwise, happy patching!
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,772
Please, this is nothing like Heartbleed. Who the hell uses bash to serve remote requests?
that's exactly what i asked when i heard the news... turns out a whole BUNCHA remote services can be affected by this...
 

tonyyy

Limp Gawd
Joined
Nov 10, 2009
Messages
306
if your a famous celebrity... that had an iphone... on icloud... i guess
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Wow this is yet another bad one. Just patched my public facing server. Is there a way to test this exploit?
 

mwarps

Supreme [H]ardness
Joined
Oct 6, 2002
Messages
7,011
It is bad, yes, but nothing like "silently and remotely get all the memory of a server process".

Enjoy the show if you're using BSD. Otherwise, happy patching!
How so? If you run bash on BSD, you're in the same boat. Commits have been pushed to almost all BSD flavors already.

bash may not be the default shell but there are plenty of people running BSD who use bash.
 

TCM2

Gawd
Joined
Oct 17, 2013
Messages
572
How so? If you run bash on BSD, you're in the same boat. Commits have been pushed to almost all BSD flavors already.

bash may not be the default shell but there are plenty of people running BSD who use bash.
Even if you have bash installed and set as your login shell, /bin/sh still remains non-bash and no daemon user should have bash as its login shell.

Edit: Don't mistake this as "you don't need to update". Everyone who has bash must update!
 
Last edited:

mwarps

Supreme [H]ardness
Joined
Oct 6, 2002
Messages
7,011
Even if you have bash installed and set as your login shell, /bin/sh still remains non-bash and no daemon user should have bash as its login shell.

Edit: Don't mistake this as "you don't need to update". Everyone who has bash must update!
Oh I've updated!

Just to be clear, on ubuntu:
/bin/sh was dash as of ubuntu 6.10.

I don't see any daemons with anything other than /bin/sh or /bin/false as shells on my ubuntu systems (10.04 through 14.04) and I haven't touched the password file.

Can I enjoy the show too? :-p
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
Well my public facing server is all good, yum update did the trick. Will patch my internal stuff later, not that concerned but still good to keep up to date anyway.

Another way to test:

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Paste that in a shell. If you get errors you're not vulnerable.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I tried the exploits on my windows servers and well they are not vulnerable. :)
Yeah but a Linux web server could be infected with code that can then infect a Windows machine by viewing the website(s) on that server.. ;) With remote code execution, the sky is the limit to turn a server into a vehicle to get malware on other platforms that use that server via web browser or possibly other means. The worms are coming. :D

Mind you, this would have been fairly possible to do with heartbleed too and did not happen as far as I know. Either the malware writers/hackers arn't thinking of it or people are patching up fast enough that it's not worth writing a worm for. This one is fairly easy to patch and even older distros like CentOS 5 have a patch so really no excuse to not be patched at this point.
 

DeChache

The ONE - Your Ignorance Annoys Me
Joined
Oct 30, 2005
Messages
6,993
Yeah but a Linux web server could be infected with code that can then infect a Windows machine by viewing the website(s) on that server.. ;) With remote code execution, the sky is the limit to turn a server into a vehicle to get malware on other platforms that use that server via web browser or possibly other means. The worms are coming. :D

Mind you, this would have been fairly possible to do with heartbleed too and did not happen as far as I know. Either the malware writers/hackers arn't thinking of it or people are patching up fast enough that it's not worth writing a worm for. This one is fairly easy to patch and even older distros like CentOS 5 have a patch so really no excuse to not be patched at this point.
Who browses the web from a server. Mine can't even call out to the internet.

All my Linux systems where patched yesterday and again today with the second fix.
 

klank

Killer of Killer NIC Threadz
Joined
Aug 22, 2011
Messages
2,148
Who browses the web from a server. Mine can't even call out to the internet.

All my Linux systems where patched yesterday and again today with the second fix.
His post went way over your head.

He is not talking about browsing from the server, he is talking about clients that would connect to the infected/affected server.
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
8,272
Assbleed is pretty bad from what I hear.... I guess just becareful what you let in your floppy drive is the only way to prevent it.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
He is not talking about browsing from the server, he is talking about clients that would connect to the infected/affected server.
Yep exactly. Imagine google.com's server (let's pretend there's just 1 server for simplicity sake) is unpatched and gets infected with a worm that that adds malicious code to each page served. Then everybody with windows who browses it from their computer gets infected with some malware targeted at windows such as your typical drive by that installs a fake AV program. Essentially the exploit can be used as a vehicle to deliver malware to end users who happen to use the server.

Actually, ad network servers would probably be a prime target for something like this.
 

Romale23

Gawd
Joined
Dec 12, 2006
Messages
866
Really glad it was fixed so fast. I dont use *nix much, but when i do, i use bash. Its by far my favorite
 

DeChache

The ONE - Your Ignorance Annoys Me
Joined
Oct 30, 2005
Messages
6,993
Yep exactly. Imagine google.com's server (let's pretend there's just 1 server for simplicity sake) is unpatched and gets infected with a worm that that adds malicious code to each page served. Then everybody with windows who browses it from their computer gets infected with some malware targeted at windows such as your typical drive by that installs a fake AV program. Essentially the exploit can be used as a vehicle to deliver malware to end users who happen to use the server.

Actually, ad network servers would probably be a prime target for something like this.
So what does have to do with the windows server and not browsing the web from it sure sounds like your browsing the web there.
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
So what does have to do with the windows server and not browsing the web from it sure sounds like your browsing the web there.
Has nothing to do with windows servers, but regular windows clients being used by regular users around the globe.

Imagine this scenario:

1- A popular website's server running Linux is vulnerable to this exploit.

2- A hacker or a worm uses this exploit to execute remote code on the server to modify the web site's pages to contain a drive by virus, such as one of those ones that drop a fake AV on your system, or perhaps a custom virus. Anything really.

3- An end user, running windows, browses the website that is hosted on the server that was compromised.

4- The user is now infected with a fake antivirus program (or any other malware the hacker decided to push)
 
Top