oss-sec mailing list archives
Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code
From: Jose R R <jose.r.r () metztli com>
Date: Mon, 6 Oct 2014 01:06:23 -0700
This shows that your two systems are not vulnerable.
A "vulnerable but non-exploitable" condition doesn't actually exist. It only means there's a non-security bug that would have been a security bug under different circumstances (which is why it got a CVE ID).
Indeed, Solar, input appreciated. *all* the bash patches, including the latest ones (bash43-030 released on Oct. 05, 2014, in this particular instance < http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ >) are included in a: git clone git://git.savannah.gnu.org/bash.git And then proceeding to build bash locally...
Thus agreeing with Sona:
This shows the widespread confusion.
There is no more confusion. Snapshot below shows local build of bash with your one-liner test at the end: https://pbs.twimg.com/media/BzP42tHCcAEEvHP.png:large On Sun, Oct 5, 2014 at 7:02 AM, Solar Designer <solar () openwall com> wrote:
On Sun, Oct 05, 2014 at 04:38:15AM -0700, Jose R R wrote:Hanno, < https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck > I've downloaded your bash test script and executed it against a Debian 7 (Wheezy) -patched system (upper image) as well as a local Debian Sid (unstable) build of bash where I applied the October 02, 2014, bash43-029 (Bottom image) < https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >This shows that your two systems are not vulnerable. A "vulnerable but non-exploitable" condition doesn't actually exist. It only means there's a non-security bug that would have been a security bug under different circumstances (which is why it got a CVE ID).Thus agreeing with Sona:This shows the widespread confusion."but I think what most (non-expert) people need is an explanation for each CVE, a set of test case from some reliable source (preferably a script that runs all test cases and shows vulnerable/not-vulnerable status) and a set of patches. So that they can apply the patches, run the tests and assert that their systems are not vulnerable to shellshock anymore."You only need the one-liner test from my reply to Sona: http://www.openwall.com/lists/oss-security/2014/10/05/7 testfunc='() { echo bad; }' bash -c testfunc (Besides, tests for some of those CVEs can't be made reliable anyway.) Alexander
Best Professional Regards -- Jose R R http://www.metztli-it.com --------------------------------------------------------------------------------------------- NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows. --------------------------------------------------------------------------------------------- Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014 ---------------------------------------------------------------------------------------------
Current thread:
- Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 04)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Michal Zalewski (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Hanno Böck (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 06)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Michal Zalewski (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Rob Fuller (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Kurt Seifried (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 06)