OHAI, Dnia wtorek, 30 września 2014 14:25:28 Georgi Guninski pisze:
Agree, heartbleed was a bigger problem, though I think I know why so many people panic because of this.
My theory is, with heartbleed most folks thought they were unaffected, cause not many noob people run a webserver. But with shellshock they can test this on their own machine, with just 1 line of code and see the "vulnerable" message, so suddenly this is a big deal for them.
So, don't panic & stay cool, unless you have some badly configured servers or have a habit of running everything on your workstation without checking. But then you got bigger problems than this ;-).
Shellshock affects clients, including admins :)
Over DHCP you get instant root.
Over qmail local delivery, without any interaction you get the lusers $HOME and /var/mail and having in mind the state of current kernels the road to euid 0 is not very long.
It might affect some suid progies too.
Yeah, but that means the danger level is somewhere on the "client-side root" side, rather than "server-side root".
AFAICT HB didn't allow code execution, just reading memory.
"Just" potentially reading plaintext passwords straight off of RAM, SSL/TLS certificates, GPG keys, etc., potentially (and demonstrably!) giving one a way not only to take over the given server, but to decrypt past saved communications with a given host, if the host used SSL without perfect forward secrecy. Shellshock is more of a "personal client hygiene" kind of bug (a bad one, but still); HB was "we're *all* affected and fucked, change passwords NOW and hope for the best". -- Pozdr rysiek