# Bash Remote Exploit (https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-v



## Deleted (Sep 24, 2014)

Removed Poc.


----------



## Deleted (Sep 24, 2014)

CVE-2014-6271 - Remote code Execution through Bash


----------



## Jonathan (Sep 24, 2014)

Yep, only a few hours old now.


----------



## MartinD (Sep 24, 2014)

I've removed the PoC - please don't post that stuff in public


----------



## DomainBop (Sep 24, 2014)

Debian advisory.  Patch available for wheezy.

https://www.debian.org/security/2014/dsa-3032


----------



## Shoaib_A (Sep 24, 2014)

Patches available for CentOS 5/6/7 as well

http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html


----------



## Deleted (Sep 24, 2014)

That's lame.

It was a test code, not a working way to exploit anything. 

You can remove my account from this forum. Thanks.


----------



## drmike (Sep 24, 2014)

Monkburger said:


> That's lame.
> 
> It was a test code, not a working way to exploit anything.
> 
> You can remove my account from this forum. Thanks.


What happened boss?   Someone prune your message due to perception of it leading to a rm -rf 'ing of the interwebs?


----------



## Taronyu (Sep 24, 2014)

Does anyone know if the latest version (4.3) is also vulnerable?


----------



## zzrok (Sep 24, 2014)

Taronyu said:


> Does anyone know if the latest version (4.3) is also vulnerable?


According to http://seclists.org/oss-sec/2014/q3/650, yes.


----------



## splitice (Sep 24, 2014)

I look forward to updating every server that runs bash... eh all of them.

Fortunately this doesn't seem to exploitable under standard server scenario's without a service which allows for the setting of environment variables to specific values (rare) such as SSH access. Atleast based on my understanding.

Update Time....


----------



## KuJoe (Sep 24, 2014)

splitice said:


> I look forward to updating every server that runs bash... eh all of them.
> 
> Fortunately this doesn't seem to exploitable under standard server scenario's without a service which allows for the setting of environment variables to specific values (rare) such as SSH access. Atleast based on my understanding.
> 
> Update Time....


I would hold off until they release an update that patches the exploit. The recent update didn't fix it completely.


----------



## Darwin (Sep 24, 2014)

Just saw the unedited version of this topic, wasn't the PoC doing almost the same shit the code posted by redhat does?(which, btw, is currently linked in this topic title)  :huh:


----------



## DomainBop (Sep 24, 2014)

splitice said:


> I look forward to updating every server that runs bash... eh all of them.


Puppet...


----------



## gxbfxvar (Sep 25, 2014)

Darwin said:


> Just saw the unedited version of this topic, wasn't the PoC doing almost the same shit the code posted by redhat does?(which, btw, is currently linked in this topic title)  :huh:


I also saw the unedited version and PoC shown there by OP was pretty harmless. In addition, bash isn't suid binary and running it on your account limits the damage to what you can access by yourself.


----------



## Kris (Sep 25, 2014)

Darwin said:


> Just saw the unedited version of this topic, wasn't the PoC doing almost the same shit the code posted by redhat does?(which, btw, is currently linked in this topic title)  :huh:


Yes, and due to stupidity we lost one of the bright members of the forum.

Good job, dumbass. (Looks at Martin)


----------



## Wintereise (Sep 25, 2014)

Kris said:


> Yes, and due to stupidity we lost one of the bright members of the forum.
> 
> Good job, dumbass. (Looks at Martin)


While the fact that it wasn't much of a PoC was true, him flipping shit on it being removed largely based on a mistake is also a problem.


----------



## MartinD (Sep 25, 2014)

Kris said:


> Yes, and due to stupidity we lost one of the bright members of the forum.
> 
> Good job, dumbass. (Looks at Martin)


Well aren't you the smart little cookie.

Next time any code is thrown up as PoC I'll leave it well alone and we can all try it against your systems.

I'm not going to dance around and try any code myself or analyse it to see what it can and can't do. If there's an exploit out there and someone posts up PoC code in relation to it I'll remove it.

I see people are just using this as an opportunity to moan again despite people saying the same code is listed in the link from RH. Trying to protect the wider community and people throw their arms up, chuck their toys and dummies out of the pram and storm off. Diddums.


----------



## KS_Samuel (Sep 25, 2014)

Considering the sort of people we find in this community. Hiding the PoC is the right thing to do in my opinion. While it won't stop them finding it, it's a bit of a deterrent.

No names being mentioned because you all know who they are.


----------



## Aldryic C'boas (Sep 25, 2014)

A self-proclaimed guru of everything cries foul and lets slip the dogs of butthurt after a moderator censors part of his post.  The road to hell is paved with good intentions indeed, but at _*most*_ Martin's actions called for a response of _"Not cool man, it wasn't actually an issue, let me show you why"_ - not a GVH dramatantrum.  Props to Monk for not threatening to go grab a butter knife over the issue.. but "delete my account"?  Did you forget that you're not in the daycare anymore?  FFS man, most of your stories about your experience would place you being mid-30s or so - try acting like it.


----------



## lbft (Sep 25, 2014)

Like it or not, there are HF skid scum everywhere there are cheap VPSes, and lots of people (me included) came here from another site targeting that cheap VPS market.

I wish it were true that "you all know who they are", but plenty of them are at least smart enough not to post about their booters and RATs and other tripe or threaten people who disagree with them in related IRC channels. The visible morons are only the tip of the iceberg-sized turd uncomfortably sitting in every technical forum's underpants.

Some of them are even "providers", given the amount of DDoS that flies around for simply posting an offer on that other site or daring to do business in a particular market segment in a particular country.

So yes, I think technical information is important. I think discussion is important so we can all know how to defend our servers (and part of that defence is understanding your attackers' methods). And skids are going to get their grubby hands on tools that will allow them to cause harm eventually. But as soon as they know they can come *here *and get something they just have to not drool on too hard and run it, they'll start participating more, and turn this place into the "cest pit" none of us want it to be.

So personally I hope for more technical write-ups, or discussion, or even non-specific examples of types of attacks and how to mitigate them - because it makes us all more secure, and it's less accessible to dangerous morons. But I draw the line at anything that attracts pests.

Edit: I'm speaking generally here about the principle of posting proof of concept code here, not this specific case. This isn't the first time this discussion has come up.


----------



## splitice (Sep 25, 2014)

@Aldryic C'boas Well said as always, I tend to agree.

Personally I wouldn't have removed a harmless PoC, you cant wrap everything in bubble wrap. However I understand why @MartinD might want to remove it and his comment about posting in public makes me think he didn't see that it already is public (the attached link). Security through obscurity (or really, lack of given the publication) is not security. And you can bet your bottom dollar the skiddies on HF are already looking at more weaponized versions.
 
Please people, lets act like the professionals we are (@Monkburger). If you feel strongly enough to have a say, do so with respect for the mods/administrators. At the end of the day @MartinD made a decision, it might not have been the 'right' one but it is a decision, if you disagree - explain why.


----------



## marlencrabapple (Sep 25, 2014)

How exactly is one vulnerable to this? Do I need to have some sort of CGI script that explicitly uses environment variables in its equivalent of an exec()?


----------



## Darwin (Sep 25, 2014)

Just to clarify:


I was not trying to bash MartinD. I was only trying to point out that if the op code needed to be removed the red hat should be too.(that was an opnion, not a demand, neither taking sides)


I may or may not agree with his ruling in this case, but I sure can understand why he removed the code.


----------



## Deleted (Sep 25, 2014)

drmike said:


> What happened boss?   Someone prune your message due to perception of it leading to a rm -rf 'ing of the interwebs?


Apparently educating users on how simple, and dangerous this is is bad bad evil evil and it should be stricken from the record. It's not my fault people can't read simple c code. 

Should I have posted the PoC? Yes. Why? To show how simple it is. The PoC code did not do anything harmful. Should I have said otherwise later when my PoC was deleted? Nope, I stand by what I said. Besides, there were way more harmful posts that were said on here (dumping customer records, displaying family members of CC employees that remained on here for DAYS until someone said something). 

And to Aldryic C'Boas, I don't give a shit what you have to say, so please, stop saying nonsense and eat a bowl of dicks.


----------



## Kris (Sep 25, 2014)

MartinD said:


> Well aren't you the smart little cookie.
> 
> Next time any code is thrown up as PoC I'll leave it well alone and we can all try it against your systems.
> 
> ...


Pretty sure you're the one looked at for similar activities... All the time, so makes sense.

Eat a dick.


----------



## MannDude (Sep 25, 2014)

Let's all get a long. Everyone explained their reasoning, no one has to agree with anyone else and is not expected to, but lets try to be respectful towards each other regardless if we agree with each other or not and limit the personal name calling. 

Thanks.

I'm glad Monkburger posted this here, I've always saw him as a quality member and contributor and I understand Martin did what he did with solid intentions and not to purposely piss anyone off. It wasn't meant to taken so seriously or stir up so much hatred. Y'all just calm down.


----------



## drmike (Sep 25, 2014)

A bowl of dicks.... Bahahaha... never heard that term tossed about prior.  Somewhere in Africa..... right now....

A proof of concept isn't something new.   The notices in various places *probably* mentioned or pointed to similar.  Sort of have to usually prove the issue exists to say here is why we are patching things.   I see zero harm in not showing the goods and plastering FIX YOUR SH!T notices all over for everyone to see.

I get that we don't want the vibe of HackForums here.  Unsure why the original post demanded such concern though [cause I missed it, y0!] @lbft covered my bases on the fine lines between civility and decaying into youthful anarchy.

Fear 'da


----------



## KuJoe (Sep 25, 2014)

Why not have a blanket rule like WHT has with "No POCs". Regardless if they are harmless or not, who cares? Anybody who wants to find one can find one in their e-mail before it's posted here most likely anyways. There is zero good that can come from posting a POC on vpsBoard as any sysadmin worth a damn is already on the proper mailing lists or has the proper bookmarks already to look up CVEs.

It's not the moderator's duty to know whether a POC is safe or not but you all know there would be more crying on this forum is some kid ran a "test" that wiped out his VPS regardless of how dumb you would have to be to run any code you find on a forum on a VPS you care about.

So in terms of security it's better to err on the side of caution. I say this as a provider who is targeted by skids every time somebody on here posts a positive review about us so I know for a fact they lurk this forum just to find targets and giving them any ammo is only detrimental to the providers who also post here.

I also say this as somebody who witnessed a provider who was on the wrong side of a POC that was posted publicly here and WHT. The attack happened shortly after the threads were posted here which was hours after the POC was released elsewhere so timing suggests they didn't know about it until it was posted on here or WHT. They were banned on WHT but not here so I still think he got it from this forum.


----------



## drmike (Sep 25, 2014)

The no POC rule just is blah.  [MIND YOU: THIS SITE DOES NEED SOME BETTER AND CLEARER RULES] There are plenty of folks who are not security list worshippers with stuffed inboxes and regular time wasted micro-paranoid-analyzing each issue.  I count myself as one of those [been on the lists and all and if I subscribe to everything and get email all day, I'd get nothing else ever done].

Saying we can't have POCs here or shouldn't because of the behavior of some undefined, but they exist, bad actors is just meh.   It's like bombing a whole town because there was a criminal therein.   It's overbearing.

Information isn't a crime.  Using such information as a weapon is a crime and those folks doing such should be spanked heavily for their misdeeds.

_*" I say this as a provider who is targeted by skids every time somebody on here posts a positive review about us so"*_

Does this apply to just when positive review on LE* or vpsB or both?

My regards to @KuJoe and Ramnode [who was spanked by a prior skiddy attack of notoriety].


----------



## MannDude (Sep 25, 2014)

I learned a long time ago that not everyone is going to pleased 100% of the time on here and that's not our goal. We just want to provide a quality community. With that said, all I request is you react reasonably when you disagree with something. If you have further issues, feel free to create a different thread for it or contact me directly as this one is off-topic enough as is and is now a useless resource for any usable information.

I didn't see the original post, but I trust that if Martin removed something he did so with honest and good intentions with the community and it's members in mind. I'm uncertain if there is some past history between the two that prompted such a reaction, but regardless the OP requested his account to be deleted so I did that as best as I could with what IPB allows me to do.


----------



## DomainBop (Sep 25, 2014)

Debian released their 2nd patch in the past 24 hours for this tonight: https://www.debian.org/security/2014/dsa-3035


----------



## drmike (Sep 25, 2014)

DomainBop said:


> Debian released their 2nd patch in the past 24 hours for this tonight: https://www.debian.org/security/2014/dsa-3035


Seems like this vulnerability is far from over.


----------



## Aldryic C'boas (Sep 26, 2014)

Whether or not a POC is harmful is irrelevant.  The problem is how quickly grown adults resorted to childish tantrums rather than discussing things civilly.  This thread would still be on the first page of posts if people didn't get off on trying to crucify someone they have a grudge against.  Monk tried to do a good thing (spread awareness of a critical issue), Martin tried to do a good thing (removed code he thought might be abused).



> Hey, I'm not sure why you edited my post, the code I posted wasn't actually harmful - let me elaborate a bit for the folks that don't spend all day in _vi_ and explain what's going on so they'll know how to protect themselves.





> Most excellent, thank you for clarifying and helping educate the community.


Would that really have been so hard?


----------



## HalfEatenPie (Sep 26, 2014)

Aldryic C said:


> Whether or not a POC is harmful is irrelevant.  The problem is how quickly grown adults resorted to childish tantrums rather than discussing things civilly.  This thread would still be on the first page of posts if people didn't get off on trying to crucify someone they have a grudge against.  Monk tried to do a good thing (spread awareness of a critical issue), Martin tried to do a good thing (removed code he thought might be abused).
> 
> 
> Would that really have been so hard?


Agreed to this.


I will admit I was to blame for this in the past (so this makes me a hypocrite). But... It seems whenever some accusatory claim comes onto the forum people immediately jump on it and go forth with it. Remember that "Admins are trying to censor everything!" when Matthew was removed?  There were even an individual who was no longer active on the site suddenly pop back in with "yeah screw you guys" (you know you can just leave it alone right?  Or did your two cents really matter that time?)

I mean argue what you want, but let be reasonable or at least be mature about this before bringing out the pitchforks.  And by that I mean fact checking.


----------



## drmike (Sep 27, 2014)

Trial by fire I say.     Eventually people will understand the house rules and Martin will seem less gruff   

Sucks to lose a productive member, an articulate and technical member of the community over a thread hosing like was done.

I vehemently disagree with censoring folks [exceptions - violence, bad harassment, bodily threats, bullying (clear bullying), inappropriate and/or illegal matters [of the pornographic variety], and hate speech for the sake of hating [you desk jockies couldn't....].  I don't think a moderator should touch the content of a thread without saying hey to the OP first and trying to get a revision from the OP first [unsure if that was done or not].

These things while well intentioned send bad messages to others in the community and discourage participation.  I've been involved in forums and similar since, ehh 1980's.  Seen many communities die due to moderation that didn't suit the community.  Not claiming that here, just saying proactively.


----------



## Kakashi (Sep 27, 2014)

A little back on topic. Looks like there will need to be at least another patch.

Here are some more details:

http://www.webhostingtalk.com/showpost.php?p=9247514&postcount=123

http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/


----------



## 24/7/365 (Sep 27, 2014)

A less critical one for you:

https://access.redhat.com/security/cve/CVE-2014-7187


----------



## wlanboy (Sep 28, 2014)

What a mess.

At least bash now has the attention it needs...


----------



## wlanboy (Sep 28, 2014)

Currently 5 issues:

The first two:


http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Two new ones:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
And the last one ASLR related:


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277


----------



## HalfEatenPie (Sep 28, 2014)

wlanboy said:


> Currently 5 issues:
> 
> The first two:
> 
> ...


Updates are fun! - Said No-one


----------

