[Cialug] Shellshock Bash Remote Code Execution Vulnerability
Thomas Kula
kula at tproa.net
Thu Sep 25 09:43:33 CDT 2014
On Thu, Sep 25, 2014 at 09:34:39AM -0500, Sean Flattery wrote:
> If you haven't heard yet, yesterday they announced a huge bug in bash that
> allows attacker to remotely execute any bash commands without
> authentication. Any service that calls to Bash can be abused to run
> arbitrary commands.
>
> You can test this locally by running the following:
>
> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> If Bash echoes out the word vulnerable, you're at risk. For a good writeup
> see this article:
> http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
FYI, the first patch was incomplete, pay attention to
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 for
details on that.
--
Thomas L. Kula | kula at tproa.net | http://kula.tproa.net/
More information about the Cialug
mailing list