what could be worse than heartbleed?

Please, this is nothing like Heartbleed. Who the hell uses bash to serve remote requests?
 
Please, this is nothing like Heartbleed. Who the hell uses bash to serve remote requests?

"The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. "
 
It is bad, yes, but nothing like "silently and remotely get all the memory of a server process".

Enjoy the show if you're using BSD. Otherwise, happy patching!
 
Please, this is nothing like Heartbleed. Who the hell uses bash to serve remote requests?

that's exactly what i asked when i heard the news... turns out a whole BUNCHA remote services can be affected by this...
 
if your a famous celebrity... that had an iphone... on icloud... i guess
 
Wow this is yet another bad one. Just patched my public facing server. Is there a way to test this exploit?
 
It is bad, yes, but nothing like "silently and remotely get all the memory of a server process".

Enjoy the show if you're using BSD. Otherwise, happy patching!

How so? If you run bash on BSD, you're in the same boat. Commits have been pushed to almost all BSD flavors already.

bash may not be the default shell but there are plenty of people running BSD who use bash.
 
How so? If you run bash on BSD, you're in the same boat. Commits have been pushed to almost all BSD flavors already.

bash may not be the default shell but there are plenty of people running BSD who use bash.

Even if you have bash installed and set as your login shell, /bin/sh still remains non-bash and no daemon user should have bash as its login shell.

Edit: Don't mistake this as "you don't need to update". Everyone who has bash must update!
 
Last edited:
Even if you have bash installed and set as your login shell, /bin/sh still remains non-bash and no daemon user should have bash as its login shell.

Edit: Don't mistake this as "you don't need to update". Everyone who has bash must update!

Oh I've updated!

Just to be clear, on ubuntu:
/bin/sh was dash as of ubuntu 6.10.

I don't see any daemons with anything other than /bin/sh or /bin/false as shells on my ubuntu systems (10.04 through 14.04) and I haven't touched the password file.

Can I enjoy the show too? :-p
 
Well my public facing server is all good, yum update did the trick. Will patch my internal stuff later, not that concerned but still good to keep up to date anyway.

Another way to test:

Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Paste that in a shell. If you get errors you're not vulnerable.
 
Is this when the windows users say haha?

























Just kidding.
 
I tried the exploits on my windows servers and well they are not vulnerable. :)

Yeah but a Linux web server could be infected with code that can then infect a Windows machine by viewing the website(s) on that server.. ;) With remote code execution, the sky is the limit to turn a server into a vehicle to get malware on other platforms that use that server via web browser or possibly other means. The worms are coming. :D

Mind you, this would have been fairly possible to do with heartbleed too and did not happen as far as I know. Either the malware writers/hackers arn't thinking of it or people are patching up fast enough that it's not worth writing a worm for. This one is fairly easy to patch and even older distros like CentOS 5 have a patch so really no excuse to not be patched at this point.
 
Yeah but a Linux web server could be infected with code that can then infect a Windows machine by viewing the website(s) on that server.. ;) With remote code execution, the sky is the limit to turn a server into a vehicle to get malware on other platforms that use that server via web browser or possibly other means. The worms are coming. :D

Mind you, this would have been fairly possible to do with heartbleed too and did not happen as far as I know. Either the malware writers/hackers arn't thinking of it or people are patching up fast enough that it's not worth writing a worm for. This one is fairly easy to patch and even older distros like CentOS 5 have a patch so really no excuse to not be patched at this point.

Who browses the web from a server. Mine can't even call out to the internet.

All my Linux systems where patched yesterday and again today with the second fix.
 
Who browses the web from a server. Mine can't even call out to the internet.

All my Linux systems where patched yesterday and again today with the second fix.

His post went way over your head.

He is not talking about browsing from the server, he is talking about clients that would connect to the infected/affected server.
 
Assbleed is pretty bad from what I hear.... I guess just becareful what you let in your floppy drive is the only way to prevent it.
 
He is not talking about browsing from the server, he is talking about clients that would connect to the infected/affected server.

Yep exactly. Imagine google.com's server (let's pretend there's just 1 server for simplicity sake) is unpatched and gets infected with a worm that that adds malicious code to each page served. Then everybody with windows who browses it from their computer gets infected with some malware targeted at windows such as your typical drive by that installs a fake AV program. Essentially the exploit can be used as a vehicle to deliver malware to end users who happen to use the server.

Actually, ad network servers would probably be a prime target for something like this.
 
Really glad it was fixed so fast. I dont use *nix much, but when i do, i use bash. Its by far my favorite
 
Yep exactly. Imagine google.com's server (let's pretend there's just 1 server for simplicity sake) is unpatched and gets infected with a worm that that adds malicious code to each page served. Then everybody with windows who browses it from their computer gets infected with some malware targeted at windows such as your typical drive by that installs a fake AV program. Essentially the exploit can be used as a vehicle to deliver malware to end users who happen to use the server.

Actually, ad network servers would probably be a prime target for something like this.

So what does have to do with the windows server and not browsing the web from it sure sounds like your browsing the web there.
 
So what does have to do with the windows server and not browsing the web from it sure sounds like your browsing the web there.

Has nothing to do with windows servers, but regular windows clients being used by regular users around the globe.

Imagine this scenario:

1- A popular website's server running Linux is vulnerable to this exploit.

2- A hacker or a worm uses this exploit to execute remote code on the server to modify the web site's pages to contain a drive by virus, such as one of those ones that drop a fake AV on your system, or perhaps a custom virus. Anything really.

3- An end user, running windows, browses the website that is hosted on the server that was compromised.

4- The user is now infected with a fake antivirus program (or any other malware the hacker decided to push)
 
Back
Top