Bash Remote Exploit (https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-v

[lbft]

Like it or not, there are HF skid scum everywhere there are cheap VPSes, and lots of people (me included) came here from another site targeting that cheap VPS market.

I wish it were true that "you all know who they are", but plenty of them are at least smart enough not to post about their booters and RATs and other tripe or threaten people who disagree with them in related IRC channels. The visible morons are only the tip of the iceberg-sized turd uncomfortably sitting in every technical forum's underpants.

Some of them are even "providers", given the amount of DDoS that flies around for simply posting an offer on that other site or daring to do business in a particular market segment in a particular country.

So yes, I think technical information is important. I think discussion is important so we can all know how to defend our servers (and part of that defence is understanding your attackers' methods). And skids are going to get their grubby hands on tools that will allow them to cause harm eventually. But as soon as they know they can come here and get something they just have to not drool on too hard and run it, they'll start participating more, and turn this place into the "cest pit" none of us want it to be.

So personally I hope for more technical write-ups, or discussion, or even non-specific examples of types of attacks and how to mitigate them - because it makes us all more secure, and it's less accessible to dangerous morons. But I draw the line at anything that attracts pests.

Edit: I'm speaking generally here about the principle of posting proof of concept code here, not this specific case. This isn't the first time this discussion has come up.

 

[splitice]

@Aldryic C'boas Well said as always, I tend to agree.

Personally I wouldn't have removed a harmless PoC, you cant wrap everything in bubble wrap. However I understand why @MartinD might want to remove it and his comment about posting in public makes me think he didn't see that it already is public (the attached link). Security through obscurity (or really, lack of given the publication) is not security. And you can bet your bottom dollar the skiddies on HF are already looking at more weaponized versions.
 
Please people, lets act like the professionals we are (@Monkburger). If you feel strongly enough to have a say, do so with respect for the mods/administrators. At the end of the day @MartinD made a decision, it might not have been the 'right' one but it is a decision, if you disagree - explain why.

 

[marlencrabapple]

How exactly is one vulnerable to this? Do I need to have some sort of CGI script that explicitly uses environment variables in its equivalent of an exec()?

 

[Darwin]

Just to clarify:


I was not trying to bash MartinD. I was only trying to point out that if the op code needed to be removed the red hat should be too.(that was an opnion, not a demand, neither taking sides)


I may or may not agree with his ruling in this case, but I sure can understand why he removed the code.

 

[Deleted]

What happened boss?   Someone prune your message due to perception of it leading to a rm -rf 'ing of the interwebs?

Apparently educating users on how simple, and dangerous this is is bad bad evil evil and it should be stricken from the record. It's not my fault people can't read simple c code. 

Should I have posted the PoC? Yes. Why? To show how simple it is. The PoC code did not do anything harmful. Should I have said otherwise later when my PoC was deleted? Nope, I stand by what I said. Besides, there were way more harmful posts that were said on here (dumping customer records, displaying family members of CC employees that remained on here for DAYS until someone said something). 

And to Aldryic C'Boas, I don't give a shit what you have to say, so please, stop saying nonsense and eat a bowl of dicks. 

 

[Kris]

Well aren't you the smart little cookie.

Next time any code is thrown up as PoC I'll leave it well alone and we can all try it against your systems.

I'm not going to dance around and try any code myself or analyse it to see what it can and can't do. If there's an exploit out there and someone posts up PoC code in relation to it I'll remove it.

I see people are just using this as an opportunity to moan again despite people saying the same code is listed in the link from RH. Trying to protect the wider community and people throw their arms up, chuck their toys and dummies out of the pram and storm off. Diddums.

Pretty sure you're the one looked at for similar activities... All the time, so makes sense.

Eat a dick. 

 

[MannDude]

Let's all get a long. Everyone explained their reasoning, no one has to agree with anyone else and is not expected to, but lets try to be respectful towards each other regardless if we agree with each other or not and limit the personal name calling.

Thanks.

I'm glad Monkburger posted this here, I've always saw him as a quality member and contributor and I understand Martin did what he did with solid intentions and not to purposely piss anyone off. It wasn't meant to taken so seriously or stir up so much hatred. Y'all just calm down.

 

[drmike]

A bowl of dicks.... Bahahaha... never heard that term tossed about prior.  Somewhere in Africa..... right now....

A proof of concept isn't something new.   The notices in various places *probably* mentioned or pointed to similar.  Sort of have to usually prove the issue exists to say here is why we are patching things.   I see zero harm in not showing the goods and plastering FIX YOUR SH!T notices all over for everyone to see.

I get that we don't want the vibe of HackForums here.  Unsure why the original post demanded such concern though [cause I missed it, y0!] @lbft covered my bases on the fine lines between civility and decaying into youthful anarchy.

Fear 'da

 

[KuJoe]

Why not have a blanket rule like WHT has with "No POCs". Regardless if they are harmless or not, who cares? Anybody who wants to find one can find one in their e-mail before it's posted here most likely anyways. There is zero good that can come from posting a POC on vpsBoard as any sysadmin worth a damn is already on the proper mailing lists or has the proper bookmarks already to look up CVEs.

It's not the moderator's duty to know whether a POC is safe or not but you all know there would be more crying on this forum is some kid ran a "test" that wiped out his VPS regardless of how dumb you would have to be to run any code you find on a forum on a VPS you care about.

So in terms of security it's better to err on the side of caution. I say this as a provider who is targeted by skids every time somebody on here posts a positive review about us so I know for a fact they lurk this forum just to find targets and giving them any ammo is only detrimental to the providers who also post here.

I also say this as somebody who witnessed a provider who was on the wrong side of a POC that was posted publicly here and WHT. The attack happened shortly after the threads were posted here which was hours after the POC was released elsewhere so timing suggests they didn't know about it until it was posted on here or WHT. They were banned on WHT but not here so I still think he got it from this forum.

 

[drmike]

The no POC rule just is blah.  [MIND YOU: THIS SITE DOES NEED SOME BETTER AND CLEARER RULES] There are plenty of folks who are not security list worshippers with stuffed inboxes and regular time wasted micro-paranoid-analyzing each issue.  I count myself as one of those [been on the lists and all and if I subscribe to everything and get email all day, I'd get nothing else ever done].

Saying we can't have POCs here or shouldn't because of the behavior of some undefined, but they exist, bad actors is just meh.   It's like bombing a whole town because there was a criminal therein.   It's overbearing.

Information isn't a crime.  Using such information as a weapon is a crime and those folks doing such should be spanked heavily for their misdeeds.

" I say this as a provider who is targeted by skids every time somebody on here posts a positive review about us so"

Does this apply to just when positive review on LE* or vpsB or both?

My regards to @KuJoe and Ramnode [who was spanked by a prior skiddy attack of notoriety].

 

[MannDude]

I learned a long time ago that not everyone is going to pleased 100% of the time on here and that's not our goal. We just want to provide a quality community. With that said, all I request is you react reasonably when you disagree with something. If you have further issues, feel free to create a different thread for it or contact me directly as this one is off-topic enough as is and is now a useless resource for any usable information.

I didn't see the original post, but I trust that if Martin removed something he did so with honest and good intentions with the community and it's members in mind. I'm uncertain if there is some past history between the two that prompted such a reaction, but regardless the OP requested his account to be deleted so I did that as best as I could with what IPB allows me to do.

 

[DomainBop]

Debian released their 2nd patch in the past 24 hours for this tonight: https://www.debian.org/security/2014/dsa-3035

 

[drmike]

Debian released their 2nd patch in the past 24 hours for this tonight: https://www.debian.org/security/2014/dsa-3035

Seems like this vulnerability is far from over.

 

[Aldryic C'boas]

Whether or not a POC is harmful is irrelevant.  The problem is how quickly grown adults resorted to childish tantrums rather than discussing things civilly.  This thread would still be on the first page of posts if people didn't get off on trying to crucify someone they have a grudge against.  Monk tried to do a good thing (spread awareness of a critical issue), Martin tried to do a good thing (removed code he thought might be abused).

Hey, I'm not sure why you edited my post, the code I posted wasn't actually harmful - let me elaborate a bit for the folks that don't spend all day in vi and explain what's going on so they'll know how to protect themselves.

Most excellent, thank you for clarifying and helping educate the community.

Would that really have been so hard?

 

[HalfEatenPie]

Whether or not a POC is harmful is irrelevant.  The problem is how quickly grown adults resorted to childish tantrums rather than discussing things civilly.  This thread would still be on the first page of posts if people didn't get off on trying to crucify someone they have a grudge against.  Monk tried to do a good thing (spread awareness of a critical issue), Martin tried to do a good thing (removed code he thought might be abused).


Would that really have been so hard?

Agreed to this.


I will admit I was to blame for this in the past (so this makes me a hypocrite). But... It seems whenever some accusatory claim comes onto the forum people immediately jump on it and go forth with it. Remember that "Admins are trying to censor everything!" when Matthew was removed?  There were even an individual who was no longer active on the site suddenly pop back in with "yeah screw you guys" (you know you can just leave it alone right?  Or did your two cents really matter that time?)

I mean argue what you want, but let be reasonable or at least be mature about this before bringing out the pitchforks.  And by that I mean fact checking.  

 

[drmike]

Trial by fire I say.     Eventually people will understand the house rules and Martin will seem less gruff  

Sucks to lose a productive member, an articulate and technical member of the community over a thread hosing like was done.

I vehemently disagree with censoring folks [exceptions - violence, bad harassment, bodily threats, bullying (clear bullying), inappropriate and/or illegal matters [of the pornographic variety], and hate speech for the sake of hating [you desk jockies couldn't....].  I don't think a moderator should touch the content of a thread without saying hey to the OP first and trying to get a revision from the OP first [unsure if that was done or not].

These things while well intentioned send bad messages to others in the community and discourage participation.  I've been involved in forums and similar since, ehh 1980's.  Seen many communities die due to moderation that didn't suit the community.  Not claiming that here, just saying proactively.

 

[Kakashi]

A little back on topic. Looks like there will need to be at least another patch.

Here are some more details:

http://www.webhostingtalk.com/showpost.php?p=9247514&postcount=123

http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/

 

[24/7/365]

A less critical one for you:

https://access.redhat.com/security/cve/CVE-2014-7187

 

[wlanboy]

What a mess.

At least bash now has the attention it needs...

 

[wlanboy]

Currently 5 issues:

The first two:

• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
  
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

Two new ones:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
  
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

And the last one ASLR related:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277