what could be worse than heartbleed?

Discussion in 'Networking & Security' started by goodcooper, Sep 24, 2014.

  1. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,803
    Joined:
    Nov 4, 2005
  2. klank

    klank Killer of Killer NIC Threadz

    Messages:
    2,134
    Joined:
    Aug 22, 2011
  3. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,803
    Joined:
    Nov 4, 2005
  4. TCM2

    TCM2 Gawd

    Messages:
    571
    Joined:
    Oct 17, 2013
    Please, this is nothing like Heartbleed. Who the hell uses bash to serve remote requests?
     
  5. klank

    klank Killer of Killer NIC Threadz

    Messages:
    2,134
    Joined:
    Aug 22, 2011
    "The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. "
     
  6. TCM2

    TCM2 Gawd

    Messages:
    571
    Joined:
    Oct 17, 2013
    It is bad, yes, but nothing like "silently and remotely get all the memory of a server process".

    Enjoy the show if you're using BSD. Otherwise, happy patching!
     
  7. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,803
    Joined:
    Nov 4, 2005
    that's exactly what i asked when i heard the news... turns out a whole BUNCHA remote services can be affected by this...
     
  8. tonyyy

    tonyyy Limp Gawd

    Messages:
    306
    Joined:
    Nov 10, 2009
    if your a famous celebrity... that had an iphone... on icloud... i guess
     
  9. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Wow this is yet another bad one. Just patched my public facing server. Is there a way to test this exploit?
     
  10. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
  11. mwarps

    mwarps [H]ardness Supreme

    Messages:
    7,060
    Joined:
    Oct 6, 2002
    How so? If you run bash on BSD, you're in the same boat. Commits have been pushed to almost all BSD flavors already.

    bash may not be the default shell but there are plenty of people running BSD who use bash.
     
  12. DeChache

    DeChache The ONE - Your Ignorance Annoys Me

    Messages:
    6,786
    Joined:
    Oct 30, 2005
    https://shellshock.detectify.com/
     
  13. TCM2

    TCM2 Gawd

    Messages:
    571
    Joined:
    Oct 17, 2013
    Even if you have bash installed and set as your login shell, /bin/sh still remains non-bash and no daemon user should have bash as its login shell.

    Edit: Don't mistake this as "you don't need to update". Everyone who has bash must update!
     
    Last edited: Sep 25, 2014
  14. jojo69

    jojo69 [H]ardForum Junkie

    Messages:
    10,398
    Joined:
    Sep 13, 2009
  15. mwarps

    mwarps [H]ardness Supreme

    Messages:
    7,060
    Joined:
    Oct 6, 2002
    Oh I've updated!

    Just to be clear, on ubuntu:
    /bin/sh was dash as of ubuntu 6.10.

    I don't see any daemons with anything other than /bin/sh or /bin/false as shells on my ubuntu systems (10.04 through 14.04) and I haven't touched the password file.

    Can I enjoy the show too? :-p
     
  16. Benzino

    Benzino [H]ard|Gawd

    Messages:
    1,485
    Joined:
    Mar 3, 2005
    We're scrambling at work.
     
  17. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Well my public facing server is all good, yum update did the trick. Will patch my internal stuff later, not that concerned but still good to keep up to date anyway.

    Another way to test:

    Code:
    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    Paste that in a shell. If you get errors you're not vulnerable.
     
  18. scobar

    scobar .

    Messages:
    34,034
    Joined:
    Jan 2, 2001
    Is this when the windows users say haha?

























    Just kidding.
     
  19. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    They'll just get infected by a drive by on a website that was infected by this exploit. :D
     
  20. DeChache

    DeChache The ONE - Your Ignorance Annoys Me

    Messages:
    6,786
    Joined:
    Oct 30, 2005
    I tried the exploits on my windows servers and well they are not vulnerable. :)
     
  21. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Yeah but a Linux web server could be infected with code that can then infect a Windows machine by viewing the website(s) on that server.. ;) With remote code execution, the sky is the limit to turn a server into a vehicle to get malware on other platforms that use that server via web browser or possibly other means. The worms are coming. :D

    Mind you, this would have been fairly possible to do with heartbleed too and did not happen as far as I know. Either the malware writers/hackers arn't thinking of it or people are patching up fast enough that it's not worth writing a worm for. This one is fairly easy to patch and even older distros like CentOS 5 have a patch so really no excuse to not be patched at this point.
     
  22. DeChache

    DeChache The ONE - Your Ignorance Annoys Me

    Messages:
    6,786
    Joined:
    Oct 30, 2005
    Who browses the web from a server. Mine can't even call out to the internet.

    All my Linux systems where patched yesterday and again today with the second fix.
     
  23. klank

    klank Killer of Killer NIC Threadz

    Messages:
    2,134
    Joined:
    Aug 22, 2011
    His post went way over your head.

    He is not talking about browsing from the server, he is talking about clients that would connect to the infected/affected server.
     
  24. tangoseal

    tangoseal [H]ardness Supreme

    Messages:
    6,901
    Joined:
    Dec 18, 2010
    Assbleed is pretty bad from what I hear.... I guess just becareful what you let in your floppy drive is the only way to prevent it.
     
  25. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Yep exactly. Imagine google.com's server (let's pretend there's just 1 server for simplicity sake) is unpatched and gets infected with a worm that that adds malicious code to each page served. Then everybody with windows who browses it from their computer gets infected with some malware targeted at windows such as your typical drive by that installs a fake AV program. Essentially the exploit can be used as a vehicle to deliver malware to end users who happen to use the server.

    Actually, ad network servers would probably be a prime target for something like this.
     
  26. Romale23

    Romale23 Gawd

    Messages:
    868
    Joined:
    Dec 12, 2006
    Really glad it was fixed so fast. I dont use *nix much, but when i do, i use bash. Its by far my favorite
     
  27. DeChache

    DeChache The ONE - Your Ignorance Annoys Me

    Messages:
    6,786
    Joined:
    Oct 30, 2005
    So what does have to do with the windows server and not browsing the web from it sure sounds like your browsing the web there.
     
  28. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Has nothing to do with windows servers, but regular windows clients being used by regular users around the globe.

    Imagine this scenario:

    1- A popular website's server running Linux is vulnerable to this exploit.

    2- A hacker or a worm uses this exploit to execute remote code on the server to modify the web site's pages to contain a drive by virus, such as one of those ones that drop a fake AV on your system, or perhaps a custom virus. Anything really.

    3- An end user, running windows, browses the website that is hosted on the server that was compromised.

    4- The user is now infected with a fake antivirus program (or any other malware the hacker decided to push)
     
  29. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
  30. Mister Natural

    Mister Natural 2[H]4U

    Messages:
    3,464
    Joined:
    Oct 10, 2002
    Last edited: Oct 1, 2014