oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

From: Solar Designer <solar () openwall com>
Date: Sun, 5 Oct 2014 18:02:16 +0400
On Sun, Oct 05, 2014 at 04:38:15AM -0700, Jose R R wrote:

Hanno,

< https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >

I've downloaded your bash test script and executed it against a Debian
7 (Wheezy) -patched system (upper image)

as well as a local Debian Sid (unstable) build of bash where I applied
the October 02, 2014, bash43-029 (Bottom image)

< https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >


This shows that your two systems are not vulnerable.

A "vulnerable but non-exploitable" condition doesn't actually exist.
It only means there's a non-security bug that would have been a security
bug under different circumstances (which is why it got a CVE ID).


Thus agreeing with Sona:


This shows the widespread confusion.


"but I think what most (non-expert) people
need is an explanation for each CVE, a set of test case from some
reliable source (preferably a script that runs all test cases and
shows vulnerable/not-vulnerable status) and a set of patches. So that
they can apply the patches, run the tests and assert that their
systems are not vulnerable to shellshock anymore."


You only need the one-liner test from my reply to Sona:

http://www.openwall.com/lists/oss-security/2014/10/05/7

testfunc='() { echo bad; }' bash -c testfunc

(Besides, tests for some of those CVEs can't be made reliable anyway.)

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: