[Haifux] The Bash vulnerability (shellshock)
Guy Edri
guy at pclabs.co.il
Sat Sep 27 22:42:58 IDT 2014
Hey Eli.
http://www.tripwire.com/state-of-security/off-topic/shell-shocked-bash-bug-detection-tools-cve-2014-6271/
http://shellshocktest.com/
https://github.com/mubix/shellshocker-pocs
enjoy your PT with all those tools.
On Sat, Sep 27, 2014 at 11:37 AM, boazg <boaz.gezer at gmail.com> wrote:
> try it with DHCP instead
>
> https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
>
> On Sat, Sep 27, 2014 at 11:36 AM, boazg <boaz.gezer at gmail.com> wrote:
>
>> you need to find a vulnerable site. CGI doesn't have to pass through
>> bash. you need a site that opens a subshell for something. they aren't
>> uncommon, but it's not every linux-CGI site.
>>
>> On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer <eli at billauer.co.il> wrote:
>>
>>> Hi,
>>>
>>> I did
>>>
>>> # yum upgrade bash
>>>
>>> on Haifux' server, and it's off the hook. But I was also surprised that
>>> it the attack failed even before that.
>>>
>>> Eli
>>>
>>>
>>> On 26/09/14 12:39, guy keren wrote:
>>>
>>>> On 09/26/2014 12:30 PM, Eli Billauer wrote:
>>>>
>>>>> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test'
>>>>>
>>>>
>>>> you're too late - there's a (partial?) fix being distributed around...
>>>>
>>>> --guy
>>>> _______________________________________________
>>>> Haifux mailing list
>>>> Haifux at haifux.org
>>>> http://haifux.org/mailman/listinfo/haifux
>>>>
>>>>
>>>
>>> --
>>> Web: http://www.billauer.co.il
>>>
>>>
>>> _______________________________________________
>>> Haifux mailing list
>>> Haifux at haifux.org
>>> http://haifux.org/mailman/listinfo/haifux
>>>
>>
>>
>
> _______________________________________________
> Haifux mailing list
> Haifux at haifux.org
> http://haifux.org/mailman/listinfo/haifux
>
>
--
בברכה
גיא אדרי
משרד : 227799 - 048
נייד : 2121313 - 054
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://haifux.org/pipermail/haifux/attachments/20140927/a6d8b707/attachment.html>
More information about the Haifux
mailing list