Active Topics

 


Page 3 of 5 12 3 45
Reply
Thread Tools
szopin is offline szopin
2014-09-25 , 19:21
Posts: 2,076 | Thanked: 3,268 times | Joined on Feb 2011
#21
Originally Posted by pichlo View Post
Just tested on my N900 (Bash4).
Code:
~ $ env x='() { :;}; echo vulnerable'  
bash -c "echo this is a test"
vulnerable
this is a test
~ $
So just uninstall bash, busybox with sh is safe

Probably more worrying for n900 is the apt-get vulnerability (do you apt-get upgrade vulnerable apt-get to get safe apt-get???), didn't see a thread about it:
https://lists.debian.org/debian-secu.../msg00212.html
https://lists.debian.org/debian-secu.../msg00216.html
https://lists.debian.org/debian-secu.../msg00219.html
Last edited by szopin; 2014-09-25 at 20:10.
 

The Following 2 Users Say Thank You to szopin For This Useful Post:
szopin is offline szopin
2014-09-25 , 19:33
Posts: 2,076 | Thanked: 3,268 times | Joined on Feb 2011
#22
Originally Posted by coderus View Post
fix will be included in upcoming sailfish update, you can be sure
Wouldn't bet too much money on that. Original patch had some issues (rather quickly someone came with an example how to still exploit it, though supposedly less severely), most opinions are that there will be a few patches as people come up with more examples. At least some patch I hope will be delivered
 
Bundyo's Avatar
Bundyo is offline Bundyo
2014-09-25 , 19:51
Posts: 4,708 | Thanked: 4,649 times | Joined on Oct 2007 @ Bulgaria
#23
https://together.jolla.com/question/...#post-id-56855

This is the official answer, the thread was closed

Oh, some gory details on the first 0day exploit malware (botnet it seems):
http://www.kernelmode.info/forum/vie...&t=3505#p23987
__________________
Technically, there are three determinate states the cat could be in: Alive, Dead, and Bloody Furious.
Last edited by Bundyo; 2014-09-25 at 19:54.
 

The Following 3 Users Say Thank You to Bundyo For This Useful Post:
javispedro's Avatar
javispedro is offline javispedro
2014-09-25 , 20:05
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#24
Originally Posted by vincr View Post
Wrong subforum, but what about Maemo and Meego? These OS'es are infected too with this bug isn't it?
Since no Maemo originally shipped bash, you can be certainly sure no script is using it (unless you replaced /bin/sh with bash but I know for sure that didn't work on Fremantle). So it's also not exploitable.
 

The Following 2 Users Say Thank You to javispedro For This Useful Post:
szopin is offline szopin
2014-09-25 , 21:03
Posts: 2,076 | Thanked: 3,268 times | Joined on Feb 2011
#25
developing: http://seclists.org/oss-sec/2014/q3/712
 
vincr is offline vincr
2014-09-25 , 21:59
Posts: 136 | Thanked: 68 times | Joined on Nov 2013 @ Streets of Avalon | Zwolle, the Netherlands
#26
Originally Posted by javispedro View Post
Since no Maemo originally shipped bash, you can be certainly sure no script is using it (unless you replaced /bin/sh with bash but I know for sure that didn't work on Fremantle). So it's also not exploitable.
I have bash on my N9 and it's vulnerable.. hope to see some patched bash in openrepos. Just to be sure it's safe.
 
LadyBug is offline LadyBug
2014-09-26 , 07:20
Posts: 20 | Thanked: 13 times | Joined on Jan 2010 @ Finland
#27
If someone is curious how shellshock could be used to attack a Sailfish device, this illustrates one attack vector: https://pbs.twimg.com/media/ByZZUzmIIAAuFaR.jpg:large

That is, a malicious DHCP server could attack by sending code in the options field. I haven't verified this with my Jolla, but in theory this could be bad. Think of public WIFI access points...
 

The Following 2 Users Say Thank You to LadyBug For This Useful Post:
Manatus is offline Manatus
2014-09-26 , 08:17
Posts: 334 | Thanked: 616 times | Joined on Sep 2010
#28
Originally Posted by vincr View Post
I have bash on my N9 and it's vulnerable.. hope to see some patched bash in openrepos. Just to be sure it's safe.
For time being you can 'apt-get remove' bash. Of course depending on what software you run; on my N9 Schturman's N9 QTweak was only application using it. N9 QTweak reinstalls bash during the application launch, though.
 
nieldk
2014-09-26 , 08:25
Guest | Posts: n/a | Thanked: 0 times | Joined on
#29
Originally Posted by LadyBug View Post
If someone is curious how shellshock could be used to attack a Sailfish device, this illustrates one attack vector: https://pbs.twimg.com/media/ByZZUzmIIAAuFaR.jpg:large

That is, a malicious DHCP server could attack by sending code in the options field. I haven't verified this with my Jolla, but in theory this could be bad. Think of public WIFI access points...
Nice one!

Feel free to test that with my bash
http://talk.maemo.org/showpost.php?p...6&postcount=17
 

The Following User Says Thank You to For This Useful Post:
javispedro's Avatar
javispedro is offline javispedro
2014-09-26 , 09:26
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#30
Originally Posted by LadyBug View Post
If someone is curious how shellshock could be used to attack a Sailfish device, this illustrates one attack vector: https://pbs.twimg.com/media/ByZZUzmIIAAuFaR.jpg:large

That is, a malicious DHCP server could attack by sending code in the options field. I haven't verified this with my Jolla, but in theory this could be bad. Think of public WIFI access points...
Jolla doesn't use dhclient; it uses connman's builtin gdhcp client.

EDIT: Again, during "security crazes" please remember to keep your brain turned on. There's a shitton of people (e.g. stackoverflow) who is right now posting "instructions to solve the bash bug" which include absurd things such as replacing your distro's bash with some random online version. Without proper care, that's even more stupid than plainly doing nothing.

This doesn't necessarily apply to nieldk's packages, which I think one can trust (hehe ;P), but please remember to be generally cautious about this.
Last edited by javispedro; 2014-09-26 at 09:31.
 

The Following 7 Users Say Thank You to javispedro For This Useful Post:
Reply
Page 3 of 5 12 3 45

Tags
bash bug

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 23:14.

Contact Us - Home - Archive - Top