oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

From: Jose R R <jose.r.r () metztli com>
Date: Mon, 6 Oct 2014 01:06:23 -0700
This shows that your two systems are not vulnerable.



A "vulnerable but non-exploitable" condition doesn't actually exist.
It only means there's a non-security bug that would have been a security
bug under different circumstances (which is why it got a CVE ID).


Indeed, Solar, input appreciated.

*all* the bash patches, including the latest ones (bash43-030 released
on Oct. 05, 2014, in this particular instance <
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ >) are included in a:

git clone git://git.savannah.gnu.org/bash.git

And then proceeding to build bash locally...


Thus agreeing with Sona:



This shows the widespread confusion.


There is no more confusion. Snapshot below shows local build of bash
with your one-liner test at the end:

https://pbs.twimg.com/media/BzP42tHCcAEEvHP.png:large

On Sun, Oct 5, 2014 at 7:02 AM, Solar Designer <solar () openwall com> wrote:

On Sun, Oct 05, 2014 at 04:38:15AM -0700, Jose R R wrote:

Hanno,

< https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >

I've downloaded your bash test script and executed it against a Debian
7 (Wheezy) -patched system (upper image)

as well as a local Debian Sid (unstable) build of bash where I applied
the October 02, 2014, bash43-029 (Bottom image)

< https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >


This shows that your two systems are not vulnerable.

A "vulnerable but non-exploitable" condition doesn't actually exist.
It only means there's a non-security bug that would have been a security
bug under different circumstances (which is why it got a CVE ID).


Thus agreeing with Sona:


This shows the widespread confusion.


"but I think what most (non-expert) people
need is an explanation for each CVE, a set of test case from some
reliable source (preferably a script that runs all test cases and
shows vulnerable/not-vulnerable status) and a set of patches. So that
they can apply the patches, run the tests and assert that their
systems are not vulnerable to shellshock anymore."


You only need the one-liner test from my reply to Sona:

http://www.openwall.com/lists/oss-security/2014/10/05/7

testfunc='() { echo bad; }' bash -c testfunc

(Besides, tests for some of those CVEs can't be made reliable anyway.)

Alexander


Best Professional Regards

-- 
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014
---------------------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: