|
Michal Zalewski did publish more details about the two vulnerability he discovered in the aftermath of Shellshock. He used a fuzzer to discover both vulnerabilities, and now published PoC exploits for both. [1] To check if you are vulnerable, Michal points to this test string:
A quick test shows up-to date OS X, CentOS and Ubuntu as not vulnerable. The first one, CVE-2014-6277, is a more "traditional" use of uninitialized memory. In most cases, this will just cause a crash. However, it can also be exploited to achieve arbitrary code execution. At its core, this is again due to how functions are parsed in environment variables, so this would be exploitable via HTTP requests. The second one, CVE-2014-6278, is closer to the original shellshock bug. The PoC exploit posted by Michal is:
Just like the first bug, the parser is confused as to where the function definition ends, and it executes the code in { }. Late last week, a blog post about a similar flaw in Windows suggested to some that the Windows shell is vulnerable as well [2]. The vulnerability is however slightly different. It is not passed to other shells spawned from the original one. Also, in Windows, it is even less likely then in Unix to have cgi-bin scripts call a shell directly. The only realistic exploit vector in Windows remain environments like cygwin that install bash on Windows. [1] http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html --- |
Johannes 4512 Posts ISC Handler Oct 6th 2014 |
| Thread locked Subscribe |
Oct 6th 2014 7 years ago |
|
I did a before-and-after cygwin test on three versions of Windows (XP, Vista, 7 each running the 32-bit version of cygwin) and the bash problem seems fixed. I used the "foo=" code shown in the item I am replying to. BEFORE said not patched and AFTER said foo was in unknown command.
|
Anonymous |
| Quote |
Oct 7th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
