Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security

Rich Freeman on 26 Sep 2014 10:34:47 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Date: Fri, 26 Sep 2014 13:34:39 -0400
Cc: FredStluka <FredStluka@gmail.com>, fred <fred@bristle.com>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=xhIjpt2C8nch6Yw8Wr4FVbxpWraUFRlW46l/AFtIOGk=; b=xaRFW2VIkaqKHJbAQISCq7TufFSGLUTaAcjyxpH1pMDfeBJiBSw+fio0BbHQu3t3QM M5jzqhz/0/OdInamAkD1qm8CoHkBhP7QqKwD1/BxVph3TUDxtUJRJqU0gFa5hp9XkXoq 2oMetKJyrukLit9khnIZ9x5ScMhOUS8m87qMD33kM5hkO6+ZTKR/fFVbkeodahjI/Wd7 eOcP+EY9uiS0BdUHHW9eIWlkzY0y/lZPcFo84r2W8gkLXuw8WrIkGsONBtCjPBTlqkFY 7CjchuB60QQjoyzwKOy6oeeQmO0KxsFsjdDuVXUcZxDYthnwop+SxLJEp3wvTZ0MzpzM 2JUw==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Fri, Sep 26, 2014 at 1:00 PM, Keith C. Perry
<kperry@daotechnologies.com> wrote:
>
> What are you envisioning as the attack vector from the client point of view?  Is the concern that
> an infected DHCP server could craft a IP OFFER or ACK packet back to your client with an exploit?
>

Keep in mind that an "infected DHCP server" could be any other client
on the network.  A "DHCP server" is just a program that responds to
DHCP DISCOVER/REQUEST packets.  Anybody on the network (including
wireless connections) could potentially send DHCP OFFER/ACK packets.

I don't know the details well enough to know exactly which
implementations are vulnerable, and under what conditions.

I doubt Android is vulnerable.  The only phone I'm aware of that ships
bash as part of the stock experience is the Oneplus One, and I'd be
shocked if it was used for DHCP (it isn't the default sh for
starters).

Linux desktops are the biggest risk here.  Distros that migrated to
dash are likely to be fairly safe unless they explicitly call bash in
their scripts/etc.  Some distros have their own ip-up scripts and such
that could be problematic, and there are a lot of different DHCP
client implementations.  I think networkd is probably OK, but not all
systemd distros use networkd I imagine (systemd is new, networkd is
even newer).

I'm curious as to whether ChromeOS is vulnerable.  It uses secure boot
so the most a process is going to be able to do is run something in
RAM - any tampering with the OS drive will just render it unbootable
on the next reboot.  I wouldn't be surprised if ChromeOS does run
something like dhclient though.

Bottom line is that I've patched everything I have but my phone.  I
don't run a server farm though.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Rachel Rawlings <rachelneko@gmail.com>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: "Keith C. Perry" <kperry@daotechnologies.com>

References:
- [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Chris Grabowy <cgrabowy@gmail.com>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Fred Stluka <fred@bristle.com>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Fred Stluka <fred@bristle.com>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Matt Mossholder <matt@mossholder.com>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: Fred Stluka <fred@bristle.com>
- Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
  - From: "Keith C. Perry" <kperry@daotechnologies.com>

Prev by Date: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Next by Date: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Previous by thread: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Next by thread: Re: [PLUG] 'Shellshock' Bug Spells Trouble for Web Security
Index(es):
- Date
- Thread