oss-sec mailing list archives
Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code
From: Solar Designer <solar () openwall com>
Date: Sun, 5 Oct 2014 19:43:21 +0400
On Sun, Oct 05, 2014 at 10:55:14AM -0400, David A. Wheeler wrote:
On Sun, 5 Oct 2014 17:44:15 +0400, Solar Designer <solar () openwall com> wrote:Here's the relevant test: testfunc='() { echo bad; }' bash -c testfuncThis is a MUCH better test for most people. Hanno's test script is great for detail, but most people don't need the detail. I'm putting that email in my timeline at http://www.dwheeler.com/essays/shellshock.html#timeline - this is an EASY test people can directly use.
I think you're exaggerating my contribution when crediting me for this simple test, and it's not that new either - I previously included it in: http://www.openwall.com/lists/oss-security/2014/09/29/1 and Michal included it in: http://lists.openwall.net/full-disclosure/2014/10/01/11 (I linked to Paul Vixie's reply here because it specifically focuses on this test rather than on the rest of Michal's lengthy posting.) As to your timeline, you may add: Mon, 22 Sep 2014 07:16:35 +0200 - notification by Florian Weimer to the (private, PGP-re-encrypting) distros list, with no detail and an offer to request detail from the Debian security team. Specifically, the message had "CVE-2014-6271 in bash" as the Subject and it said only: "At 2014-09-24 14:00 UTC, we are going to disclose a significant security vulnerability in bash. Please contact the Debian security team at <team () security debian org> to receive details and upstream patches. Today, this alias will be staffed at least until 21:00 UTC (13:00 PDT)." (Personally, I chose to wait 2 days until public disclosure, so I did not request the detail on behalf of Openwall.) September 25, 2014 5:41 PM (unclear timezone) - Antti Louko suggests in a comment on Bruce Schneier's blog how bash could be binary-patched, but provides no analysis as to why this works (so it was likely unclear and not convincing to readers), nor a specific way to apply the patch. September 27, 2014 7:06 AM (unclear timezone) - Antti Louko posts "a simple Python script to make the patch", still without analysis. I mentioned the above two comments in: http://www.openwall.com/lists/oss-security/2014/09/29/6 And if you really want to credit me for anything, then: 4:36 PM - 28 Sep 2014 (unclear timezone) - @solardiz [hey, that's me] tweeted a one-liner bash binary patch, which turned out to be patching bash in the same way as Antti Louko had suggested: https://twitter.com/solardiz/status/516370924426514433 Mon, 29 Sep 2014 04:44:05 +0400 - oss-security posting on the above, including analysis of why it works and what risks are involved. http://www.openwall.com/lists/oss-security/2014/09/29/1 Alexander
Current thread:
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code, (continued)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Hanno Böck (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 06)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Rob Fuller (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Kurt Seifried (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code mancha (Oct 06)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code mancha (Oct 07)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 07)