33 Years of the Digest ... founded August 21, 1981
Copyright © 2014 E. William Horne. All Rights Reserved.

The Telecom Digest for Oct 5, 2014
Volume 33 : Issue 175 : "text" Format
Messages in this Issue:
Re: Shellshock fixes beget another round of patches as attacks mount (Garrett Wollman)

Frequently the more trifling the subject, the more animated and protracted the discussion.  - Franklin Pierce

See the bottom of this issue for subscription and archive details.

Date: Sat, 4 Oct 2014 05:31:47 +0000 (UTC) From: wollman@bimajority.org (Garrett Wollman) To: telecomdigestsubmissions.remove-this@and-this-too.telecom-digest.org. Subject: Re: Shellshock fixes beget another round of patches as attacks mount Message-ID: <m0o0o3$2nol$1@grapevine.csail.mit.edu> In article <pan.2014.>, David Clayton <dc33box-usenet2@NOSPAM.yahoo.com.au> wrote: >The only effective way of "disabling" bash is to rename the >binary. If the entry vector code being exploited is explicitly >calling /bin/bash then just changing it as the default shell for >login won't do anything. The systems where this bug is actually a vulnerability (i.e., remotely exploitable) are, in the main, GNU/Linux and Mac OS systems where "sh"[1] happens to be bash. It did not effect, for example, FreeBSD systems or modern Debian systems unless their administrators foolishly replaced their standard "sh" (generally a variant of the Almquist shell) with bash, or a remotely exploitable path was provided to a script that explicitly invoked bash.[2] >The systems like desktop/server Linux that are kept patched and up to >date will be ok, it is all those devices with Linux firmware and a >web interface that rarely (if ever) get updated that may be at risk >of permanent exploitation if they have any external ports available >to attack. That means most home/small business grade Internet facing >modems/routers etc. and that is what scares me! Many (but by no means all) such systems do not use bash as their standard shell, although they are probably exploitable in numerous other ways. -GAWollman [1] The Standard (IEEE Std.1003.1-2008) does not specify the pathname of the shell or any other utility. Traditionally it's /bin/sh, but many commercial Unix systems shipped a historic (non-standard) Bourne shell as /bin/sh and put the standard shell at some other pathname, such as /usr/xpg4/bin/sh; the standard permits implementations to do this, so long as they document the search path required to find the standard utilities. For this reason, the #! hack has never been standardized. [2] Thwap!
Garrett A. Wollman
Opinions not shared by
my employers.
What intellectual phenomenon can be older, or more oft
repeated, than the story of a large research program
that impaled itself upon a false central assumption
accepted by all practitioners? - S.J. Gould, 1993

TELECOM Digest is an electronic journal devoted mostly to telecom- munications topics. It is circulated anywhere there is email, in addition to Usenet, where it appears as the moderated newsgroup 'comp.dcom.telecom'.

TELECOM Digest is a not-for-profit educational service offered to the Internet by Bill Horne.

The Telecom Digest is moderated by Bill Horne.
Contact information: Bill Horne
Telecom Digest
43 Deerfield Road
Sharon MA 02067-2301
bill at horne dot net
Subscribe: telecom-request@telecom-digest.org?body=subscribe telecom
Unsubscribe: telecom-request@telecom-digest.org?body=unsubscribe telecom

This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Copyright © 2014 E. William Horne. All rights reserved.

Finally, the Digest is funded by gifts from generous readers such as yourself. Thank you!

All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization.

End of The Telecom Digest (1 message)

Return to Archives ** Older Issues