oss-sec mailing list archives
Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code
From: Jose R R <Jose.r.r () metztli-it com>
Date: Sun, 5 Oct 2014 04:38:15 -0700
Hanno, < https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck > I've downloaded your bash test script and executed it against a Debian 7 (Wheezy) -patched system (upper image) as well as a local Debian Sid (unstable) build of bash where I applied the October 02, 2014, bash43-029 (Bottom image) < https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large > Thus agreeing with Sona: "but I think what most (non-expert) people need is an explanation for each CVE, a set of test case from some reliable source (preferably a script that runs all test cases and shows vulnerable/not-vulnerable status) and a set of patches. So that they can apply the patches, run the tests and assert that their systems are not vulnerable to shellshock anymore." On Sun, Oct 5, 2014 at 3:51 AM, Hanno Böck <hanno () hboeck de> wrote:
Am Sun, 5 Oct 2014 10:22:06 +0000 schrieb Sona Sarmadi <sona.sarmadi () enea com>:3) Do you have a script or summary of all tests in one place like http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ? Or maybe these are good enough & reliable?This is my script and I think what it does in the current version is the reasonable thing to do: It will first test if function importing old style is enabled and if yes it will warn about that, if it is disabled or any of the prefixing solutions is enabled then it will say so. All further test outputs for all 6 CVEs depends on that. If the old function import is enabled warnings will be shown in red, because then people are in real danger. If function importing is disabled or prefixed the warnings will look less scary and clearly state "non-explitable". I think this is reasonable. I regret that previous versions of my script showed a more scary output even if people weren't really in any danger because prefixing was already enabled.It was even referenced in a number of inaccurate media reports. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Best Professional Regards. -- Jose R R http://www.metztli-it.com --------------------------------------------------------------------------------------------- NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows. --------------------------------------------------------------------------------------------- Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014 ---------------------------------------------------------------------------------------------
Current thread:
- Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 04)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Michal Zalewski (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Hanno Böck (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Jose R R (Oct 06)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Michal Zalewski (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Rob Fuller (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code David A. Wheeler (Oct 05)
- Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code Solar Designer (Oct 05)
- RE: Shellshocker - Repository of "Shellshock" Proof of Concept Code Sona Sarmadi (Oct 05)