[guardian-dev] Update your servers for real
Lee Azzarello
lee at guardianproject.info
Thu Sep 25 08:48:51 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A remote code execution bug was found in the GNU Bash shell.
http://seclists.org/oss-sec/2014/q3/650
I tested it on Debian stable from two days ago and indeed, I could
execute code after a function definition in an environment variable. A
server I updated yesterday evening was not vulnerable, as the Debian
team got a patch released quite fast.
This effects any server you run any code on, though the remote code
execution attack vector is unlikely for many contemporary application
servers. Read the write up for details about a proof of concept.
Good Morning!
- -lee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUJA8zAAoJEKhL9IoSyjdlrfsP/R7pngBZMl5xeEkdFPEJbwIA
3H0sW78ziLK6bBe3SPMOqIBiO0jyyr5NlMdXBQU0bI7jVWXqV/216jJGWC7tn9cz
k9oXFKjMJAShjkNw9SIyI4ruf1tpMDtE3WTE6+Ck1bfQGnospHZfS33moP2dGmtG
Wa5WnESeRiQR6yctPgxxil3cwtkDnBGbKNsiXMvqjriAK9YvsdNVJWpxgd8F9d6w
F8c74gMW8sZB4KAvnfl1O/hrDGxoPbQIJf30ZS2IREg9c6Q1gTMDgqYHJs1KGsUP
nR1o698dp8Wx5BpCQEdPc52+TWZwPpm6bXkoSGBM9jf7OA+j3lHQL8VIGCbPwDJx
/XqCqAQI96/WjkyXkaOeS8H2YZVmF0n8xT//73joCI24UYMWap2z0mNmjG54fLty
zo4LbmjiWlA+B1xpa5F5UQZHnbAHg3C5TcXajX7XgwDjR/9g3PebqatR48koQekU
qePTgxsAlLSc9c9SM15O8XwXSnr/7o7wWs/Cr2urjZKdi2Veh4WKBpNSP/2xBMYK
x5JZmcqWgxxH1HA4roikGA6bizsBSUjljG+otR6iKZyfKvzgkknhEaA+kZ1JbQ8m
DXuz9wEYnz3xkY6nPDacIY2Eex+LKOJAdvg9L4PQ7417o6NbBshh8FX1YhNbuznO
c1N2PzPSPCXnVgukJPT2
=qKeV
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list