Page 1 of 5 1 23 Last »
Reply
Thread Tools
Bundyo's Avatar
Bundyo is offline Bundyo
2014-09-25 , 07:06
Posts: 4,707 | Thanked: 4,643 times | Joined on Oct 2007 @ Bulgaria
#1
Pretty nasty this fella, here is more info and a test:

http://prng.net/shellshock/

I also filed a bug report @together, please vote:
https://together.jolla.com/question/...hellshock-bug/
__________________
Technically, there are three determinate states the cat could be in: Alive, Dead, and Bloody Furious.
 

The Following 3 Users Say Thank You to Bundyo For This Useful Post:
coderus's Avatar
coderus is offline coderus
2014-09-25 , 07:40
Posts: 6,431 | Thanked: 12,683 times | Joined on Nov 2011 @ Open Mobile Platform, Innopolis, Russia
#2
fix will be included in upcoming sailfish update, you can be sure
__________________
Twitter | Openrepos | GitHub | PayPal.Me
 

The Following 2 Users Say Thank You to coderus For This Useful Post:
javispedro's Avatar
javispedro is offline javispedro
2014-09-25 , 08:18
Posts: 2,351 | Thanked: 5,243 times | Joined on Jan 2009 @ Barcelona
#3
So how exactly do you plan to exploit this vulnerability on Jolla?

What I would like to see is an upgrade to GPLv3 Bash4, instead of wasting more time on their bash3 fork.
 

The Following 4 Users Say Thank You to javispedro For This Useful Post:
LouisDK is offline LouisDK
2014-09-25 , 08:23
Posts: 239 | Thanked: 586 times | Joined on Oct 2011 @ Denmark
#4
Originally Posted by javispedro View Post
So how exactly do you plan to exploit this vulnerability on Jolla?

What I would like to see is an upgrade to GPLv3 Bash4, instead of wasting more time on their bash3 fork.
Do they still use Bash3 and why? Are they scared of GPLv3 software like Apple are?
 
coderus's Avatar
coderus is offline coderus
2014-09-25 , 08:28
Posts: 6,431 | Thanked: 12,683 times | Joined on Nov 2011 @ Open Mobile Platform, Innopolis, Russia
#5
@javispedro there are should be some internals accepting environment variables.
__________________
Twitter | Openrepos | GitHub | PayPal.Me
 
javispedro's Avatar
javispedro is offline javispedro
2014-09-25 , 08:39
Posts: 2,351 | Thanked: 5,243 times | Joined on Jan 2009 @ Barcelona
#6
Originally Posted by LouisDK View Post
Do they still use Bash3 and why? Are they scared of GPLv3 software like Apple are?
Yes, they use an ancient non-GPLv3 version of Bash. I don't understand why and tbh it's my primary complaint against Jolla.

Originally Posted by coderus View Post
@javispedro there are should be some internals accepting environment variables.
So..? At this moment the only way I can think of to exploit this right now would be a suid binary that goes its way around bash "don't-run-me-suid" protection (e.g. set{e}uid then system). Which would be pretty nasty in itself since there's another 300 ways to attack those. So if you know one of those please report it.

Virtually the only situations where this bug can cause trouble is everywhere where a backlist/whitelist of environment variables is used to filter out such variables by name only. Because with this bug there are no "safe" env variable names.
Last edited by javispedro; 2014-09-25 at 08:41.
 
nieldk
2014-09-25 , 09:17
Guest | Posts: n/a | Thanked: 0 times | Joined on
#7
Well, You are probably right, but this is exploitable on several applications aswell. There is a bit more here http://seclists.org/oss-sec/2014/q3/650.

So, applications that expose some of the functionality that is vulnerable (abitrary environment variables) could be used to get at least shell code execution as current user.

But, that being said, I agree, I dont consider this a huge threat to Jolla/SailfishOS
 
javispedro's Avatar
javispedro is offline javispedro
2014-09-25 , 09:29
Posts: 2,351 | Thanked: 5,243 times | Joined on Jan 2009 @ Barcelona
#8
Originally Posted by nieldk View Post
So, applications that expose some of the functionality that is vulnerable (abitrary environment variables) could be used to get at least shell code execution as current user.
Yes, you defined it the way I see it. So if you could think of _anywhere_ in which this situation happens on a Jolla or even a normal workstation* then there might be a problem. Otherwise this is not exploitable at all.

*No, running sshd alone does not mean you're vulnerable. If on the other hand you were expecting that people ssh'ing would not be able to run arbitrary code you're in for a nasty surprise (e.g. stupid centralized Git servers, sftp-only servers -- shared hosting, etc.)
 
coderus's Avatar
coderus is offline coderus
2014-09-25 , 09:32
Posts: 6,431 | Thanked: 12,683 times | Joined on Nov 2011 @ Open Mobile Platform, Innopolis, Russia
#9
anyway, waiting for bash update in nieldk repo
__________________
Twitter | Openrepos | GitHub | PayPal.Me
 

The Following User Says Thank You to coderus For This Useful Post:
javispedro's Avatar
javispedro is offline javispedro
2014-09-25 , 10:25
Posts: 2,351 | Thanked: 5,243 times | Joined on Jan 2009 @ Barcelona
#10
Originally Posted by coderus View Post
anyway, waiting for bash update in nieldk repo
Wow, so you will be installing a random RPM package? Did you know the package could contain a RPM pre/post install script which could:
1) Grab all of your address book contacts,
2) Send compromising SMSs to all of them (plus a few "premium service" SMSs to inflate your bills!),
3) Zip your documents folder and upload to some chinese WWW server,
4) Then proceed to write randomly over your eMMC _permanently_ bricking the Jolla.

#securityscare

The JollaStore RPM packages are somewhat safer, but only because they are manually/statically analyzed.

Just an example of why I think "security scares" are bad. People tend to misplace their fears...
 

The Following 5 Users Say Thank You to javispedro For This Useful Post:
Reply
Page 1 of 5 1 23 Last »

Tags
bash bug

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 07:43.

Contact Us - Home - Archive - Top