What's new
There is more to life with TurboRenault.co.uk

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

  • This section contains the archived boards. They should be read only. If you want a thread resurrecting please message admin and we can move into the live section

'Shellshock': Bash bug -> Mac OS X and Linux systems

L

Lankan

Active Member
You may have heard about the latest vulnerability that is set to affect a majority of devices that run Mac OS X or Linux: LINK

Note: This does not affect devices running Microsoft Windows (for once!). Gobbledegook warning from this point onwards though!

If you are not interested in the technical details, but wish to test your system for vulnerability, simply fire up Bash (which is the the default shell for Mac OS X and Linux) and type the following:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:
vulnerable
this is a test

Note that although the vulnerability may exist it does not mean your system is affected, but that the likelihood of being exploited is very high. As such, the remedy is to install any fixes/patches that your system vendor/provider will provide (or push down) to your device. These are meant to 'patch' your device against the said vulnerability. Once this is done, running the same test should result in the following:

An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If you have got down this far then you certainly are keen, so well done :approve:
 
Lankan":26ouqjs5 said:
If you have got down this far then you certainly are keen, so well done :approve:
Click to expand...

Ha ha, yes was looking at this yesterday on seclists.org - I like the way news outlets like the BBC try to pitch it an Joe public too ... Essentially 'dont worry you might all be f****d but then again you might not' :rofl:
 
I've just been reading some of the mainstream press on this! They soooooooo shouldn't be allowed to write stuff on a topic they don't know a scooby about. The internet is going to end as we know it, and hackers are going to access your brain and cause you to meltdown!

Anybody seen an example of an exploit which doesn't required authorized access to a machine to run a bash script (in which case why don't you just directly do something malicious) or for you to install eg. a bash-based CGI-script with something malicious in it (in which case why don't you just do something directly malicious in that CGI-script)? Any examples of it being used to remotely inject something with the remote system with out access/installation?
 
® Andy":23tt81dp said:
I've just been reading some of the mainstream press on this! They soooooooo shouldn't be allowed to write stuff on a topic they don't know a scooby about. The internet is going to end as we know it, and hackers are going to access your brain and cause you to meltdown!

Anybody seen an example of an exploit which doesn't required authorized access to a machine to run a bash script (in which case why don't you just directly do something malicious) or for you to install eg. a bash-based CGI-script with something malicious in it (in which case why don't you just do something directly malicious in that CGI-script)? Any examples of it being used to remotely inject something with the remote system with out access/installation?
Click to expand...
Fully agree about media reporting on such issues, or not, as the case may be! Media frenzy aside, I don't believe that there is major cause for panic for the home user if their device is from a major manufacturer since most product manufacturers who use the affected operating systems have already supplied patches to fix the issue, if those devices can be updated via the internet. I suspect Linux based systems are in the majority, by far, especially when it comes to larger companies or corporates.

There appears to be real concerns though, as reported by The register: LINK

In the case of Shellshock, it is also reported, by vendors such as Oracle, that the vulnerability may be exploited without the need for any authentication, so the concern is real, and most have already pushed out patches to address the issue, but some have done so with minimal testing. For example, Oracle have acknowledged that several of their products may be vulnerable, and have pushed out several patches today, but state that they are still investigating the issue, and will push out more patches if, and when, necessary once all testing is complete! So the corporates are taking this issue very seriously.

The danger is if one is using a product from a smaller company that does not have the resources, means or the expertise to track down, fix and provide patches to fix their devices, and I am sure there a plenty of Linux based devices that are hooked up to the internet that fall into this category. Those devices will continue to be vulnerable unless their users are tech savvy and manage to patch their devices themselves.
 
You must log in or register to reply here.

Similar threads

andybond
Airbag Disabling
Replies
0
Views
13
andybond
andybond
andybond
What should I look for when I go to buy one
Replies
0
Views
32
andybond
andybond
andybond
Replacing Thermostat
Replies
0
Views
26
andybond
andybond
andybond
Fitting Aftermarket Seats
Replies
0
Views
21
andybond
andybond
andybond
Diagnosing and Replacing Faulty Coils
Replies
0
Views
15
andybond
andybond
Back
Top