Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Webcast Briefing: Bash Code Injection Vulnerability SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Webcast Briefing: Bash Code Injection Vulnerability

I created a quick Youtube video to summarize the impact of the vulnerability. The tricky part is that there is a huge vulnerable population out there, but the impact is limited as in most cases, the vulnerability is not exposed.

Feel free to share the video or the slides. I am making PPT and PDF versions available below

PDF Version of Slides
PPT Version of Slides (coming soon. not uploaded yet)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3698 Posts
ISC Handler
Possible error in presentation:

In presentation it says "Not an issue for clients. It is a server problem" which is not technically correct. From everything I have seen DHCP client and dhclient is a client problem for this vulnerability.
NoLemmingsPlease

5 Posts
Can you provide the link to the video?
NoLemmingsPlease
4 Posts
added video link. Sorry for missing that earlier.

As for the client vs. server: yes, in the DHCP scenario, it is a client problem. But this scenario is less likely to be exploited.
Johannes

3698 Posts
ISC Handler
Well, I'd mention that although this is not meant for clients, the side-effect on this would be to attack through a legit site for whatever reason, say serving adware/malware/APT campaigns... So the end of this may have a much deeper impact on clients thinking they're doing "safe" browsing. Nasty vuln in the end... Thx for the video, great stuff
Johannes
1 Posts
your slide are missing one critical point:
it is not just CGI though bash, the vuln hits any CGI that calls system() opne() or popen(). i can confirm that python and perl are vulnerable to this and found as couple of gitweb-server that might be exploited.

a sidenote: /bin/sh has to be a symlink to /bin/bash for this to happen, and fortunately debian is safe, while redhat/sles are vulnerable.


regards,

markus
Johannes
5 Posts
I suspect that windows clients with Cygwin may end up a being an end user issue. http://cygwin.com/packages/
Johannes
2 Posts
I'm wondering also about MAMP for Windows, http://www.mamp.info/en/mamp_windows.html. Btw MAMP for MAC OS is Vulnerable.
mascalz1

1 Posts

Sign Up for Free or Log In to start participating in the conversation!