Webcast Briefing: Bash Code Injection Vulnerability
I created a quick Youtube video to summarize the impact of the vulnerability. The tricky part is that there is a huge vulnerable population out there, but the impact is limited as in most cases, the vulnerability is not exposed.
Feel free to share the video or the slides. I am making PPT and PDF versions available below
PDF Version of Slides
PPT Version of Slides (coming soon. not uploaded yet)
Keywords:
7 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments
In presentation it says "Not an issue for clients. It is a server problem" which is not technically correct. From everything I have seen DHCP client and dhclient is a client problem for this vulnerability.
Anonymous
Sep 25th 2014
1 decade ago
Anonymous
Sep 25th 2014
1 decade ago
As for the client vs. server: yes, in the DHCP scenario, it is a client problem. But this scenario is less likely to be exploited.
Anonymous
Sep 25th 2014
1 decade ago
Anonymous
Sep 26th 2014
1 decade ago
it is not just CGI though bash, the vuln hits any CGI that calls system() opne() or popen(). i can confirm that python and perl are vulnerable to this and found as couple of gitweb-server that might be exploited.
a sidenote: /bin/sh has to be a symlink to /bin/bash for this to happen, and fortunately debian is safe, while redhat/sles are vulnerable.
regards,
markus
Anonymous
Sep 26th 2014
1 decade ago
Anonymous
Sep 26th 2014
1 decade ago
Anonymous
Sep 29th 2014
1 decade ago