How worse is the shellshock bash bug than Heartbleed?
rysiek at hackerspace.pl
Tue Sep 30 05:24:44 PDT 2014
Dnia wtorek, 30 września 2014 14:25:28 Georgi Guninski pisze:
> > Agree, heartbleed was a bigger problem, though I think I know why so
> > many people panic because of this.
> > My theory is, with heartbleed most folks thought they were unaffected,
> > cause not many noob people run a webserver. But with shellshock they can
> > test this on their own machine, with just 1 line of code and see the
> > "vulnerable" message, so suddenly this is a big deal for them.
> > So, don't panic & stay cool, unless you have some badly configured
> > servers or have a habit of running everything on your workstation
> > without checking. But then you got bigger problems than this ;-).
> Shellshock affects clients, including admins :)
> Over DHCP you get instant root.
> Over qmail local delivery, without any interaction
> you get the lusers $HOME and /var/mail and having
> in mind the state of current kernels the road
> to euid 0 is not very long.
> It might affect some suid progies too.
Yeah, but that means the danger level is somewhere on the "client-side root"
side, rather than "server-side root".
> AFAICT HB didn't allow code execution, just reading memory.
"Just" potentially reading plaintext passwords straight off of RAM, SSL/TLS
certificates, GPG keys, etc., potentially (and demonstrably!) giving one a way
not only to take over the given server, but to decrypt past saved
communications with a given host, if the host used SSL without perfect forward
Shellshock is more of a "personal client hygiene" kind of bug (a bad one, but
still); HB was "we're *all* affected and fucked, change passwords NOW and hope
for the best".
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 411 bytes
Desc: This is a digitally signed message part.
More information about the cypherpunks