Shellshock Bash bug

prpr

Well-Known Member
Code:
humax# env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff
Seemingly not a problem so far...

Edit: I forgot that was just using sh rather than bash. Installed bash and repeated:
Code:
humax# env X="() { :;} ; echo busted" /mod/bin/bash -c "echo stuff"
busted
stuff

So, not so good if you have bash installed, which I guess most people don't.
 
Last edited:
OP
R

rodp

Member
under what cases / packages might you have bash? can a list be compiled easily? Also, under what situations would bash be exposed to the internet? I'm thinking https webif access?! do I need to say eek at this point?!!

Thanks

Rodp
 

af123

Administrator
Staff member
Bash isn't installed as a dependency for anything as far as I know. It certainly isn't used for any CGI scripting either, which is the exploit vector for this.

Now try on your Mac...
I use zsh on my mac.. no problem there!
 

Black Hole

May contain traces of nut
Would somebody mind explaining this to those of us not adept in unix? What would this exploit actually allow hackers to do, and what access would they require in order to exploit it?
 

af123

Administrator
Staff member
For web servers which use bash as a CGI language, the exploit allows an attacker to run arbitrary commands at the shell level with the privileges of the web server.
 
OP
R

rodp

Member
hence my 'eek' in post #3!! Need to check my other routers and gadgets- that'll be my job tonight!
 

Mike2

Scrat
Just about every file server and router uses some form of Linux/Unix. Maybe half a billion machines are affected, but do they all have bash on them? I suppose all the Macs have bash installed by default, too, even if the user doesn't use it.

af123, is it only web servers that use bash as a CGI language that are at risk, or any machine that has bash installed and is connected to the internet?
 
Top