33 Years of the Digest ... founded August 21, 1981Copyright © 2014 E. William Horne. All Rights Reserved.The Telecom Digest for Oct 5, 2014
| ||||
| Frequently the more trifling the subject, the more animated and protracted the discussion. - Franklin Pierce |
See the bottom of this issue for subscription and archive details.
Date: Sat, 4 Oct 2014 05:31:47 +0000 (UTC)
From: wollman@bimajority.org (Garrett Wollman)
To: telecomdigestsubmissions.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Shellshock fixes beget another round of patches as attacks mount
Message-ID: <m0o0o3$2nol$1@grapevine.csail.mit.edu>
In article <pan.2014.10.03.23.37.07.580941@NOSPAM.yahoo.com.au>,
David Clayton <dc33box-usenet2@NOSPAM.yahoo.com.au> wrote:
>The only effective way of "disabling" bash is to rename the
>binary. If the entry vector code being exploited is explicitly
>calling /bin/bash then just changing it as the default shell for
>login won't do anything.
The systems where this bug is actually a vulnerability (i.e., remotely
exploitable) are, in the main, GNU/Linux and Mac OS systems where
"sh"[1] happens to be bash. It did not effect, for example, FreeBSD
systems or modern Debian systems unless their administrators foolishly
replaced their standard "sh" (generally a variant of the Almquist
shell) with bash, or a remotely exploitable path was provided to a
script that explicitly invoked bash.[2]
>The systems like desktop/server Linux that are kept patched and up to
>date will be ok, it is all those devices with Linux firmware and a
>web interface that rarely (if ever) get updated that may be at risk
>of permanent exploitation if they have any external ports available
>to attack. That means most home/small business grade Internet facing
>modems/routers etc. and that is what scares me!
Many (but by no means all) such systems do not use bash as their
standard shell, although they are probably exploitable in numerous
other ways.
-GAWollman
[1] The Standard (IEEE Std.1003.1-2008) does not specify the pathname
of the shell or any other utility. Traditionally it's /bin/sh, but
many commercial Unix systems shipped a historic (non-standard) Bourne
shell as /bin/sh and put the standard shell at some other pathname,
such as /usr/xpg4/bin/sh; the standard permits implementations to do
this, so long as they document the search path required to find the
standard utilities. For this reason, the #! hack has never been
standardized.
[2] Thwap!
TELECOM Digest is an electronic journal devoted mostly to telecom- munications topics. It is circulated anywhere there is email, in addition to Usenet, where it appears as the moderated newsgroup 'comp.dcom.telecom'. TELECOM Digest is a not-for-profit educational service offered to the Internet by Bill Horne. The Telecom Digest is moderated by Bill Horne.
This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Copyright © 2014 E. William Horne. All rights reserved. Finally, the Digest is funded by gifts from generous readers such as yourself. Thank you! All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization. End of The Telecom Digest (1 message) |