NerdytData patches Shellshock in a single crawl (opens in new tab)

(blog.nerdydata.com)

5 pointswolfteets11y ago5 comments

5 comments

5 comments · 2 top-level

namecast11y ago· 2 in thread

Hmm. Is root privs escalation part of shellshock? If not, then I think this is just going to try to yum update or apt-get update as the www-data user / nobody user / apache user / you get the idea.

Anyone who's running their web server as a user with enough privileges to run package installs unattended is probably in for a worse fate than an unexpected bash update, I imagine...

skuhn11y ago

No, there is no local privilege escalation. So at best this can hit the four machines in the world that run bash CGI scripts as root.

Also, their apt-get command is incorrect. apt-get update updates the local repo cache, apt-get -yy install bash will upgrade the bash package. So now they're down to two of the four machines, the ones that run RHEL.

All their exercise has done is to land their crawler IPs on some lists of IPs attempting to exploit this vulnerability. I don't think that will help them any with their business.

skuhn11y ago

Not to mention that their syntax is wrong and won't trigger the vulnerability in the first place.

  env x='() {.:;.} ; echo yo'
  *line 0: syntax error near unexpected token `{.:'*

It should be:

  env x='() { :;} ; echo yo'

Better luck next time.

hartror11y ago· 1 in thread

Sounds to me like an excellent way to get yourself sued or worse.

kolev11y ago

Or maybe get a truckload of "thank you" postcards..

j / k navigate · click thread line to collapse

5 comments

5 comments · 2 top-level

namecast11y ago· 2 in thread

Hmm. Is root privs escalation part of shellshock? If not, then I think this is just going to try to yum update or apt-get update as the www-data user / nobody user / apache user / you get the idea.

Anyone who's running their web server as a user with enough privileges to run package installs unattended is probably in for a worse fate than an unexpected bash update, I imagine...

skuhn11y ago

No, there is no local privilege escalation. So at best this can hit the four machines in the world that run bash CGI scripts as root.

Also, their apt-get command is incorrect. apt-get update updates the local repo cache, apt-get -yy install bash will upgrade the bash package. So now they're down to two of the four machines, the ones that run RHEL.

All their exercise has done is to land their crawler IPs on some lists of IPs attempting to exploit this vulnerability. I don't think that will help them any with their business.

skuhn11y ago

Not to mention that their syntax is wrong and won't trigger the vulnerability in the first place.

  env x='() {.:;.} ; echo yo'
  *line 0: syntax error near unexpected token `{.:'*

It should be:

  env x='() { :;} ; echo yo'

Better luck next time.

hartror11y ago· 1 in thread

Sounds to me like an excellent way to get yourself sued or worse.

kolev11y ago

Or maybe get a truckload of "thank you" postcards..

j / k navigate · click thread line to collapse