How worse is the shellshock bash bug than Heartbleed?
Recently a bash(1) bug called shellsock died. It affected Apache, DHCP, SSH,qmail,Pure-FTPd and other stuff. Summary of affected: https://github.com/mubix/shellshocker-pocs/blob/master/README.md I find this _much_ worse than the passive Heartbleed. How worse is the shellshock bash bug than Heartbleed?
Heartbleed was a memory leak that eventually, after carefully calculated exploiting, can lead to a remote root. Shellshock depends on a lot of environmental details, but is possible little more than a hard to reach shell with elevated permissions. I guess heartbleed was actually worse. Who runs webscripts and stuff in root? That's really foolhardy. But using OpenSSL ... We usually thought it good practice! On Sep 30, 2014 11:41 AM, "Georgi Guninski" <guninski@guninski.com> wrote:
Recently a bash(1) bug called shellsock died. It affected Apache, DHCP, SSH,qmail,Pure-FTPd and other stuff. Summary of affected: https://github.com/mubix/shellshocker-pocs/blob/master/README.md
I find this _much_ worse than the passive Heartbleed.
How worse is the shellshock bash bug than Heartbleed?
W dniu 30.09.2014 o 11:55, Lodewijk andré de la porte pisze:
Heartbleed was a memory leak that eventually, after carefully calculated exploiting, can lead to a remote root.
Shellshock depends on a lot of environmental details, but is possible little more than a hard to reach shell with elevated permissions.
I guess heartbleed was actually worse. Who runs webscripts and stuff in root? That's really foolhardy. But using OpenSSL ... We usually thought it good practice!
Agree, heartbleed was a bigger problem, though I think I know why so many people panic because of this. My theory is, with heartbleed most folks thought they were unaffected, cause not many noob people run a webserver. But with shellshock they can test this on their own machine, with just 1 line of code and see the "vulnerable" message, so suddenly this is a big deal for them. So, don't panic & stay cool, unless you have some badly configured servers or have a habit of running everything on your workstation without checking. But then you got bigger problems than this ;-). -- Łukasz "Cyber Killer" Korpalski mail: cyberkiller8@gmail.com xmpp: cyber_killer@jabster.pl site: http://website.cybkil.cu.cc gpgkey: 0x72511999 @ hkp://keys.gnupg.net //When replying to my e-mail, kindly please //write your message below the quoted text.
On Tue, Sep 30, 2014 at 12:30:57PM +0200, "Łukasz \"Cyber Killer\" Korpalski" wrote:
W dniu 30.09.2014 o 11:55, Lodewijk andré de la porte pisze:
Heartbleed was a memory leak that eventually, after carefully calculated exploiting, can lead to a remote root.
Shellshock depends on a lot of environmental details, but is possible little more than a hard to reach shell with elevated permissions.
I guess heartbleed was actually worse. Who runs webscripts and stuff in root? That's really foolhardy. But using OpenSSL ... We usually thought it good practice!
Agree, heartbleed was a bigger problem, though I think I know why so many people panic because of this.
My theory is, with heartbleed most folks thought they were unaffected, cause not many noob people run a webserver. But with shellshock they can test this on their own machine, with just 1 line of code and see the "vulnerable" message, so suddenly this is a big deal for them.
So, don't panic & stay cool, unless you have some badly configured servers or have a habit of running everything on your workstation without checking. But then you got bigger problems than this ;-).
Shellshock affects clients, including admins :) Over DHCP you get instant root. Over qmail local delivery, without any interaction you get the lusers $HOME and /var/mail and having in mind the state of current kernels the road to euid 0 is not very long. It might affect some suid progies too. AFAICT HB didn't allow code execution, just reading memory.
OHAI, Dnia wtorek, 30 września 2014 14:25:28 Georgi Guninski pisze:
Agree, heartbleed was a bigger problem, though I think I know why so many people panic because of this.
My theory is, with heartbleed most folks thought they were unaffected, cause not many noob people run a webserver. But with shellshock they can test this on their own machine, with just 1 line of code and see the "vulnerable" message, so suddenly this is a big deal for them.
So, don't panic & stay cool, unless you have some badly configured servers or have a habit of running everything on your workstation without checking. But then you got bigger problems than this ;-).
Shellshock affects clients, including admins :)
Over DHCP you get instant root.
Over qmail local delivery, without any interaction you get the lusers $HOME and /var/mail and having in mind the state of current kernels the road to euid 0 is not very long.
It might affect some suid progies too.
Yeah, but that means the danger level is somewhere on the "client-side root" side, rather than "server-side root".
AFAICT HB didn't allow code execution, just reading memory.
"Just" potentially reading plaintext passwords straight off of RAM, SSL/TLS certificates, GPG keys, etc., potentially (and demonstrably!) giving one a way not only to take over the given server, but to decrypt past saved communications with a given host, if the host used SSL without perfect forward secrecy. Shellshock is more of a "personal client hygiene" kind of bug (a bad one, but still); HB was "we're *all* affected and fucked, change passwords NOW and hope for the best". -- Pozdr rysiek
On Tue, Sep 30, 2014 at 02:24:44PM +0200, rysiek wrote:
OHAI,
Shellshock affects clients, including admins :)
Over DHCP you get instant root.
Over qmail local delivery, without any interaction you get the lusers $HOME and /var/mail and having in mind the state of current kernels the road to euid 0 is not very long.
It might affect some suid progies too.
Yeah, but that means the danger level is somewhere on the "client-side root" side, rather than "server-side root".
Client side and server side are related. Would you be comfortable to admin a server from a rooted client? (I can offer you free shell to ssh out of it ;).
AFAICT HB didn't allow code execution, just reading memory.
"Just" potentially reading plaintext passwords straight off of RAM, SSL/TLS certificates, GPG keys, etc., potentially (and demonstrably!) giving one a way not only to take over the given server, but to decrypt past saved communications with a given host, if the host used SSL without perfect forward secrecy.
Shellshock is more of a "personal client hygiene" kind of bug (a bad one, but still); HB was "we're *all* affected and fucked, change passwords NOW and hope for the best".
If I had a budget for buying sploits, I would pay much more for shockshell than for HB, might be wrong.
-- Pozdr rysiek
On Sep 30, 2014 3:40 PM, "Georgi Guninski" <guninski@guninski.com> wrote:
If I had a budget for buying sploits, I would pay much more for shockshell than for HB, might be wrong.
This is a really good metric. It instantly combines utility with potential etc. HB obtains you the root password, too. Maybe you have to wait for the admin to log in, but still. It also doesn't leave a trace, which is neat. HB gets you exploits for some very serious competitors. Shellshock only for silly competition and, unless they're really silly, requires another exploit for root. So.. it depends! On too much. For me personally shellshock is an easier exploit but heartbleed can be way more fun. Hmm... have to go with heartbleed in the end. Real users often use the same password, so that'd let me take open wifi users by surprise. If you'd want you can take servers, even though it's a tease harder.
On Tue, Sep 30, 2014 at 03:59:33PM +0200, Lodewijk andré de la porte wrote:
On Sep 30, 2014 3:40 PM, "Georgi Guninski" <guninski@guninski.com> wrote:
If I had a budget for buying sploits, I would pay much more for shockshell than for HB, might be wrong.
This is a really good metric. It instantly combines utility with potential etc.
HB obtains you the root password, too. Maybe you have to wait for the admin to log in, but still. It also doesn't leave a trace, which is neat.
Is there a reference that HB _alone_ gets you the root password? Maybe I am dumb, but don't see way to get the root password in sound setup even if I can ptrace() httpd.
HB gets you exploits for some very serious competitors. Shellshock only for silly competition and, unless they're really silly, requires another exploit for root.
Probably shellshock will give you root via DHCP and for another root exploit you might try to shock suid stuff :) On the web the myriads of buggy cgi's probably can compete with shellshock, though it is more universal and allegedly works for significant amount of daemons.
So.. it depends! On too much. For me personally shellshock is an easier exploit but heartbleed can be way more fun. Hmm... have to go with heartbleed in the end. Real users often use the same password, so that'd let me take open wifi users by surprise. If you'd want you can take servers, even though it's a tease harder.
Or cpanels suid scripts that invoke bash? :) On Tue, Sep 30, 2014 at 11:05 AM, Georgi Guninski <guninski@guninski.com> wrote:
On Sep 30, 2014 3:40 PM, "Georgi Guninski" <guninski@guninski.com> wrote:
If I had a budget for buying sploits, I would pay much more for shockshell than for HB, might be wrong.
This is a really good metric. It instantly combines utility with
On Tue, Sep 30, 2014 at 03:59:33PM +0200, Lodewijk andré de la porte wrote: potential
etc.
HB obtains you the root password, too. Maybe you have to wait for the admin to log in, but still. It also doesn't leave a trace, which is neat.
Is there a reference that HB _alone_ gets you the root password? Maybe I am dumb, but don't see way to get the root password in sound setup even if I can ptrace() httpd.
HB gets you exploits for some very serious competitors. Shellshock only for silly competition and, unless they're really silly, requires another exploit for root.
Probably shellshock will give you root via DHCP and for another root exploit you might try to shock suid stuff :)
On the web the myriads of buggy cgi's probably can compete with shellshock, though it is more universal and allegedly works for significant amount of daemons.
So.. it depends! On too much. For me personally shellshock is an easier exploit but heartbleed can be way more fun. Hmm... have to go with heartbleed in the end. Real users often use the same password, so that'd let me take open wifi users by surprise. If you'd want you can take servers, even though it's a tease harder.
-- -------- Phone: 1 (434) 933-2867 Skype: deatos2k My Website: http://www.deatoslabs.com My Security Blog: http://deatos.blogspot.com
On Tue, Sep 30, 2014 at 03:59:33PM +0200, Lodewijk andré de la porte wrote:
On Sep 30, 2014 3:40 PM, "Georgi Guninski" <guninski@guninski.com> wrote:
If I had a budget for buying sploits, I would pay much more for shockshell than for HB, might be wrong.
This is a really good metric. It instantly combines utility with potential etc.
What the world needs is a 'proof-of-exploit' based cryptocurrency that has a bidding period, and then a 'exclusive' period where the winning bidder gets the sploit, and then a disclosure period where the crypto key to decrypt the sploit becomes public. Then we could tell how serious software vendors are by how many sploits for their own stuff they are the highest bidders for. You might even have Lloyds offering sploit insurance..... The only sound electronic money would then be the one that creates money by sploiting other socially-engineerinable electronic money.
participants (6)
-
"Łukasz \"Cyber Killer\" Korpalski" -
Georgi Guninski -
Lodewijk andré de la porte -
rysiek -
tim taylor -
Troy Benjegerdes