Mu [was: How worse is the Shellshock bash bug than Heartbleed?]

Georgi Guninski guninski at guninski.com
Wed Oct 1 08:05:41 PDT 2014


On Wed, Oct 01, 2014 at 07:04:19AM -0700, coderman wrote:
> On 10/1/14, Georgi Guninski <guninski at guninski.com> wrote:
> > ...
> > Suspect this is just the top of the shellshock iceberg:
> > http://www.theregister.co.uk/2014/09/30/openvpn_open_to_shellshock_researcher/
> > OpenVPN open to pre-auth (in certain configurations).
> 
> if you are using any of the up, down, ipchange, route-up, tls-verify,
> auth-user-pass-verify,  client-connect, client-disconnect, or
> learn-address scripts with openvpn you are not operating in a security
> conscious manner.
> 
> to reiterate, in case anyone missed it: exposing a shell to untrusted
> inputs is insanity. this is true even if you manage to make your
> environment variable sanitization apparently robust.
> 
> 

OK :) Tell this to djb, qmail local delivery was allegedly affected ;)

Cheers


> > Btw, people scared by HB probably will get close to clinically
> > paranoid if the next HB allows "write anywhere" ;) { :; } ;)
> 
> part of my intent was to convey that heartbleed easily leads to
> arbitrary exec; even if not directly so ala shellshock.
> 
> so agree to disagree indeed; thus far heartbleed has medical pwnage
> and altcoin pilferage to credit, while shellshock is a farce of
> consumer crap and sloppy run yawn vulns; the mythical wide worm yet to
> materialize...
> 
> due time will tell, of course!  :P
> 
> 
> best regards,



More information about the cypherpunks mailing list