How worse is the shellshock bash bug than Heartbleed?
Georgi Guninski
guninski at guninski.com
Tue Sep 30 06:26:03 PDT 2014
On Tue, Sep 30, 2014 at 02:24:44PM +0200, rysiek wrote:
> OHAI,
>
> > Shellshock affects clients, including admins :)
> >
> > Over DHCP you get instant root.
> >
> > Over qmail local delivery, without any interaction
> > you get the lusers $HOME and /var/mail and having
> > in mind the state of current kernels the road
> > to euid 0 is not very long.
> >
> > It might affect some suid progies too.
>
> Yeah, but that means the danger level is somewhere on the "client-side root"
> side, rather than "server-side root".
>
Client side and server side are related.
Would you be comfortable to admin a server from
a rooted client? (I can offer you free shell to
ssh out of it ;).
> > AFAICT HB didn't allow code execution, just reading memory.
>
> "Just" potentially reading plaintext passwords straight off of RAM, SSL/TLS
> certificates, GPG keys, etc., potentially (and demonstrably!) giving one a way
> not only to take over the given server, but to decrypt past saved
> communications with a given host, if the host used SSL without perfect forward
> secrecy.
>
> Shellshock is more of a "personal client hygiene" kind of bug (a bad one, but
> still); HB was "we're *all* affected and fucked, change passwords NOW and hope
> for the best".
>
If I had a budget for buying sploits, I would
pay much more for shockshell than for HB, might
be wrong.
> --
> Pozdr
> rysiek
More information about the cypherpunks
mailing list