User avatar
dliloch
Posts: 168
Joined: Wed Jun 27, 2012 6:28 pm
Location: cleveland, ohio usa

shellshock -- thank you for the quick fix!

Thu Sep 25, 2014 1:31 pm

This morning after reading the news about shellshock .. and trying this script..that I found on stack exchange

http://apple.stackexchange.com/question ... 851#146851

env x='() { :;}; echo vulnerable' bash -c 'echo hello'
I see my apple is still vulnerable no fix yet.. but by updating the pi.. all is good.. thanks for the quick response to this.. .

7ewis
Posts: 130
Joined: Wed Dec 26, 2012 11:30 am

Re: shellshock -- thank you for the quick fix!

Thu Sep 25, 2014 4:17 pm

Could someone explain to me why this doesn't run, and how it could be dangerous, in simple terms?

Obviously I know if you can execute random code remotely; it's bad. But specifically in this context?

When you run the code, after the error messages, it still says 'hello' at the end anyway. But I read somewhere that the code at the end is where someone would put something malicious?
Raspberry Pi - Model B (512MB)

User avatar
rpdom
Posts: 16725
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: shellshock -- thank you for the quick fix!

Thu Sep 25, 2014 4:23 pm

It's not the code at the end of the line that is the problem. That bit is the "good" code and is supposed to run. The bad bit is on the end of the function definition x='() { :;}; echo vulnerable'. The function is { :;}, which is just a dummy function and does nothing. The "echo vulnerable" is a bit of code that shouldn't be there and should be rejected or ignored, but it gets executed instead.

What you can do is to include the function definition in a request for a page on a web server (for example) that runs a cgi script. The function will be ignored, but the "bad" code will be executed by the web server without checking what it does first.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6206
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: shellshock -- thank you for the quick fix!

Thu Sep 25, 2014 5:06 pm

Too many shellshock threads.

plugwash
Forum Moderator
Forum Moderator
Posts: 3575
Joined: Wed Dec 28, 2011 11:45 pm

Re: shellshock -- thank you for the quick fix!

Fri Sep 26, 2014 12:54 am

Please see http://www.raspberrypi.org/forums/viewt ... 66&t=87812

Note that the first round of fixing did not fully fix the bug.

Return to “General discussion”