Shellshock Bash bug

prpr

prpr

Well-Known Member
Code: 
humax# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff
Seemingly not a problem so far...

Edit: I forgot that was just using sh rather than bash. Installed bash and repeated:
Code: 
humax# env X="() { :;} ; echo busted" /mod/bin/bash -c "echo stuff"
busted
stuff

So, not so good if you have bash installed, which I guess most people don't.
 
Last edited:
OP
R

rodp

Member
under what cases / packages might you have bash? can a list be compiled easily? Also, under what situations would bash be exposed to the internet? I'm thinking https webif access?! do I need to say eek at this point?!!

Thanks

Rodp
 
af123

af123

Administrator
Staff member
Bash isn't installed as a dependency for anything as far as I know. It certainly isn't used for any CGI scripting either, which is the exploit vector for this.

Mike0001 said:
Now try on your Mac...
Click to expand...
I use zsh on my mac.. no problem there!
 
Black Hole

Black Hole

May contain traces of nut
Would somebody mind explaining this to those of us not adept in unix? What would this exploit actually allow hackers to do, and what access would they require in order to exploit it?
 
af123

af123

Administrator
Staff member
For web servers which use bash as a CGI language, the exploit allows an attacker to run arbitrary commands at the shell level with the privileges of the web server.
 
OP
R

rodp

Member
hence my 'eek' in post #3!! Need to check my other routers and gadgets- that'll be my job tonight!
 
D

Deleted member 473

Just about every file server and router uses some form of Linux/Unix. Maybe half a billion machines are affected, but do they all have bash on them? I suppose all the Macs have bash installed by default, too, even if the user doesn't use it.

af123, is it only web servers that use bash as a CGI language that are at risk, or any machine that has bash installed and is connected to the internet?
 
You must log in or register to reply here.
Top