"Shellshock" bash bug
Colin Law
clanlaw at gmail.com
Sat Sep 27 06:36:59 UTC 2014
On 26 September 2014 23:24, Teo En Ming
<singapore.mr.teo.en.ming at gmail.com> wrote:
> On 27/09/2014 05:57, Rashkae wrote:
>>
>> On 14-09-26 05:50 PM, Colin Law wrote:
>>>
>>>
>>> It is a sheeva plug computer with an Arm processor. Jaunty was the
>>> last ubuntu version that supported the chip.
>>>
>>> It seems however that my initial assumption is correct, that if they
>>> cannot login as they do not have the key then they cannot exploit the
>>> vulnerability.
>>>
>>> If someone manages to crack the key and login then the vulnerability
>>> is the least of my worries I think.
>>>
>>> Colin
>>>
>>
>> As far as ssh goes, that is correct, your attack surface there is pretty
>> small, but you have to be careful about anything else, such as web cgi
>> scripts, or even a default install of Apache, which can try to fork a
>> process with bash. Also, dhcpclient is vulnerable, if the computer ever
>> tries to get a dhcp address from a a bad dhcp server.
>>
>>
>
> But dhcp server is usually on a router. I think the hacker would have to
> hack the router to plant a bad dhcp server there. But then any Linux-based
> router is also vulnerable to the shellshock bash bug.
Is that not only true if the router has bash installed? As I asked in
a previous message how does one know whether one's router may be
vulnerable?
Colin
More information about the ubuntu-users
mailing list