Linux/Apple mac bug
- pre65
- Amstrad Tower of Power
- Posts: 21400
- Joined: Wed Aug 22, 2007 11:13 pm
- Location: North Essex/Suffolk border.
#1 Linux/Apple mac bug
The only thing necessary for the triumph of evil is for good men to do nothing.
Edmund Burke
G-Popz THE easy listening connoisseur. (Philip)
Edmund Burke
G-Popz THE easy listening connoisseur. (Philip)
- Cressy Snr
- Amstrad Tower of Power
- Posts: 10582
- Joined: Wed May 30, 2007 12:25 am
- Location: South Yorks.
#2 Re: Linux/Apple mac bug
Last login: Wed Sep 24 20:26:38 on consolepre65 wrote:http://www.bbc.co.uk/news/technology-29361794
xxxxxxxxxxxMacMini:~ steve$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
xxxxxxxxxxxxxMacMini:~ steve$
xxxxxxxxxxxxxMacMini:~ steve$
(My xs)
Oh dear
Oh well, nothing to be done except wait for the Apple security update.
No web services are running on my Mac (I hope)
Sgt. Baker started talkin’ with a Bullhorn in his hand.
- jack
- Thermionic Monk Status
- Posts: 5504
- Joined: Wed Dec 29, 2010 8:58 pm
- Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
- Contact:
#3
"in the trade" we've been looking at this (aka. "ShellShock") for a few days now - all versions of Bash up to current are affected - there is no escape.
Luckily, our production sites are not exposed, but its going to cause a world of pain out there.
The main problem is that its far easier than HeartBleed to exploit, and also far far more flexible - HeartBleed "only" allowed you to trawl through the in-memory data of the target server and maybe you'd find some usernames and unencrypted passwords or session/private RSA keys.
The problem with ShellShock is that you can do pretty much anything you want on the target server. It's a free pass to mayhem.
Ho, hum...
Luckily, our production sites are not exposed, but its going to cause a world of pain out there.
The main problem is that its far easier than HeartBleed to exploit, and also far far more flexible - HeartBleed "only" allowed you to trawl through the in-memory data of the target server and maybe you'd find some usernames and unencrypted passwords or session/private RSA keys.
The problem with ShellShock is that you can do pretty much anything you want on the target server. It's a free pass to mayhem.
Ho, hum...
Vivitur ingenio, caetera mortis erunt
- pre65
- Amstrad Tower of Power
- Posts: 21400
- Joined: Wed Aug 22, 2007 11:13 pm
- Location: North Essex/Suffolk border.
#4
Steve, I hope your Apple update is less painful than the recent I phone fiasco.
The only thing necessary for the triumph of evil is for good men to do nothing.
Edmund Burke
G-Popz THE easy listening connoisseur. (Philip)
Edmund Burke
G-Popz THE easy listening connoisseur. (Philip)
- Cressy Snr
- Amstrad Tower of Power
- Posts: 10582
- Joined: Wed May 30, 2007 12:25 am
- Location: South Yorks.
#5
I don't own an iPhone; will never own an iPhone.pre65 wrote:Steve, I hope your Apple update is less painful than the recent I phone fiasco.
I very reluctantly own a mobile phone, but nobody rings me, I because I never give out my number.
I don't want to be contactable.
Cellphones....worst bloody thing ever to be invented.
Some stupid cow walked straight into me this morning whilst I was walking the dog. She was texting of course, not looking where she was going and the kid she had in tow was playing a game on a tablet and he wasn't looking where he was going either.
I couldn't give a fook about iPhones
Sgt. Baker started talkin’ with a Bullhorn in his hand.
- jack
- Thermionic Monk Status
- Posts: 5504
- Joined: Wed Dec 29, 2010 8:58 pm
- Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
- Contact:
#6
This is what I sent to all our staff yesterday:
EDIT: This is being actively used in the wild already - a botnet was discovered within hours of the announcement - cunningly, it uses wget or curl to download the botnet precursor, does a chmod 777, then executes the downloaded code to subvert the host and add it to the botnet.Introduction
Many of you will have read about this in the press. For those that haven’t, the simple summary is that the Bash shell that is used to execute CGI requests on most of the world’s web servers has had a huge and easily-exploitable hole in it for 20 years. As everyone uses the same version of the Unix toolchain, everyone uses the same “Bash” and thus all Unix-based are equally vulnerable.
Its rated as being far worse in real terms than the “HeatBleed” SSL issue, in that rather than “just” being able to trawl the memory space of the remote web server for username/password combos or private RSA keys, you can basically do what you like - you can execute arbitrary command in the context of the remote shell – it’s really easy/trivial to exploit this bug – examples in the link below.
RedHat have probably the most concise description of this issue – see https://securityblog.redhat.com/2014/09 ... on-attack/
Note that the fix that was originally posted was incomplete – a new fix is yet to be delivered.
How does this affect me?
Possibly a lot, in that sites that you access and which have your data stored on them may well be completely open to attack. If you run your own web sites (nearly all run some variant of Linux), you should replace your Bash as soon as an approved fix is available.
However, there is nothing you, as a client browser, can do to lessen your chances of being indirectly affected by such an attack – its server-side only and therefore up to each Unix-based website that used Bash-based CGI scripting to implement the fixes ASAP, or to simply disable Bash CGI until the fix is made.
Nick
Last edited by jack on Fri Sep 26, 2014 10:59 am, edited 1 time in total.
Vivitur ingenio, caetera mortis erunt
- Dave the bass
- Amstrad Tower of Power
- Posts: 12276
- Joined: Tue May 22, 2007 4:36 pm
- Location: NW Kent, Darn Sarf innit.
#7
I thought it might.nickds1 wrote:... cunningly, it uses wget or curl do download the botnet precursor, does a chmod 777, ten executes the downloaded code to subvert the host and add it to the botnet.
"The fat bourgeois and his doppelganger"
- The Stratmangler
- Shed dweller
- Posts: 2893
- Joined: Fri Aug 24, 2007 1:50 pm
- Location: Rossendale, Lancashire
#8
My son's school pushed through an iPad scheme for teaching in the classroom.
They even managed to get the support of the majority of parents, who actually pay a not inconsiderable amount of money towards the scheme.
I refused to participate.
The business world doesn't generally use Apple product, so there's little software wise to help my son.
There is plenty of IT equipment and software here at home for him to produce work for school.
With this iOS8 update fiasco there are huge numbers of iPads now not doing what they're supposed to be doing.
Huge amounts of stored files containing the work of students have disappeared because they were stored on the iPads.
I'm not laughing, because it isn't funny, but my son has been relieved of the stress of having large amounts of his work lost, which is something I am grateful for.
My son's work is largely on paper.
I wonder how longs it's going to be before the school drops the iPad as a teaching tool?
They even managed to get the support of the majority of parents, who actually pay a not inconsiderable amount of money towards the scheme.
I refused to participate.
The business world doesn't generally use Apple product, so there's little software wise to help my son.
There is plenty of IT equipment and software here at home for him to produce work for school.
With this iOS8 update fiasco there are huge numbers of iPads now not doing what they're supposed to be doing.
Huge amounts of stored files containing the work of students have disappeared because they were stored on the iPads.
I'm not laughing, because it isn't funny, but my son has been relieved of the stress of having large amounts of his work lost, which is something I am grateful for.
My son's work is largely on paper.
I wonder how longs it's going to be before the school drops the iPad as a teaching tool?
Chris
- shane
- Social outcast
- Posts: 3405
- Joined: Sun Sep 16, 2007 12:09 pm
- Location: Kept in a cool dry place.
#9
One of the less well noted effects of IoS8 is that, if two devices are registered using the same Apple ID, a phonecall to one can make either or both of them ring. One customer with two iP6s and two iP5s found that all incoming calls made all four ring. One of my colleagues was bemused to discover that all calls coming into his iPhone were being diverted to his iPad. It's quite difficult to answer an iPad when it rings...
The world looks so different after learning science. For example, trees are made of air, primarily. When they are burned, they go back to air, and in their flaming heat is released the flaming heat of the Sun which was bound in to convert air into tree.
#10
My Fedora box was patched this morning, the hack's 'proof of concept' shown by Steve (and widely available elsewhere) now seems to be caught correctly and I get "ignoring function definition attempt" and "error importing function definition for 'xxxx'".
Someone asked me if the Linksys router family is vulnerable, as you may know many of these boxes run a variant of Linux and so the question is very pertinent.
Thankfully, as far as I understand it, most routers use a cut down version of a shell named 'ash' which is part of busybox and I can't seem to make mine do anything worrying with spurious function definitions when I get a shell up via remote login.
If you are concerned, it might be worthwhile checking your own router/NAS etc (many run Linux) if you can and know how, especially if it can be accessed, like a router could, from the wider Internet.
Andrew
Someone asked me if the Linksys router family is vulnerable, as you may know many of these boxes run a variant of Linux and so the question is very pertinent.
Thankfully, as far as I understand it, most routers use a cut down version of a shell named 'ash' which is part of busybox and I can't seem to make mine do anything worrying with spurious function definitions when I get a shell up via remote login.
If you are concerned, it might be worthwhile checking your own router/NAS etc (many run Linux) if you can and know how, especially if it can be accessed, like a router could, from the wider Internet.
Andrew
Analogue, the lost world that lies between 0 and 1.
- jack
- Thermionic Monk Status
- Posts: 5504
- Joined: Wed Dec 29, 2010 8:58 pm
- Location: ɐılɐɹʇsnɐ oʇ ƃuıʌoɯ ƃuıɹǝpısuoɔ
- Contact:
#11
"ash" and "bash" are not related - they have different origins and different authors - systems based on "ash" should be safe (from this bug, at least!).Andrew wrote:If you are concerned, it might be worthwhile checking your own router/NAS etc (many run Linux) if you can and know how, especially if it can be accessed, like a router could, from the wider Internet.
Vivitur ingenio, caetera mortis erunt