Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Webcast Briefing: Bash Code Injection Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Webcast Briefing: Bash Code Injection Vulnerability

I created a quick Youtube video to summarize the impact of the vulnerability. The tricky part is that there is a huge vulnerable population out there, but the impact is limited as in most cases, the vulnerability is not exposed.

Feel free to share the video or the slides. I am making PPT and PDF versions available below

PDF Version of Slides
PPT Version of Slides (coming soon. not uploaded yet)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022

 Johannes

4511 Posts
ISC Handler
Sep 25th 2014
Thread locked Subscribe Sep 25th 2014
7 years ago
Possible error in presentation:

In presentation it says "Not an issue for clients. It is a server problem" which is not technically correct. From everything I have seen DHCP client and dhclient is a client problem for this vulnerability.
 NoLemmingsPlease

5 Posts
Quote Sep 25th 2014
7 years ago
Can you provide the link to the video?
 NoLemmingsPlease
4 Posts
Quote Sep 25th 2014
7 years ago
added video link. Sorry for missing that earlier.

As for the client vs. server: yes, in the DHCP scenario, it is a client problem. But this scenario is less likely to be exploited.
 Johannes

4511 Posts
ISC Handler
Quote Sep 25th 2014
7 years ago
Well, I'd mention that although this is not meant for clients, the side-effect on this would be to attack through a legit site for whatever reason, say serving adware/malware/APT campaigns... So the end of this may have a much deeper impact on clients thinking they're doing "safe" browsing. Nasty vuln in the end... Thx for the video, great stuff
 Johannes
1 Posts
Quote Sep 26th 2014
7 years ago
your slide are missing one critical point:
it is not just CGI though bash, the vuln hits any CGI that calls system() opne() or popen(). i can confirm that python and perl are vulnerable to this and found as couple of gitweb-server that might be exploited.

a sidenote: /bin/sh has to be a symlink to /bin/bash for this to happen, and fortunately debian is safe, while redhat/sles are vulnerable.


regards,

markus
 Johannes
5 Posts
Quote Sep 26th 2014
7 years ago
I suspect that windows clients with Cygwin may end up a being an end user issue. http://cygwin.com/packages/
 Johannes
2 Posts
Quote Sep 26th 2014
7 years ago
I'm wondering also about MAMP for Windows, http://www.mamp.info/en/mamp_windows.html. Btw MAMP for MAC OS is Vulnerable.
 mascalz1

1 Posts
Quote Sep 29th 2014
7 years ago

Sign Up for Free or Log In to start participating in the conversation!