Go ahead and start a new thread.I doubt most mac users even know what bash is
It's not even mentioned in the apple section here
Edit: done
Last edited:
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: What's the most interesting small town you've visited in South Africa?
Bash Vulnerability
- Thread starter battletoad
- Start date
Edit: done
I doubt most mac users even know what bash is
It's not even mentioned in the apple section here
Theyre a bit slow and will catch up eventually.
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,608
- Reaction score
- 41,109
They think it's another reference to their iPhone 6+ that will bend if you bash it hard enough
I doubt most mac users even know what bash is
It's not even mentioned in the apple section here
Or we have it covered and find no need to wet our pants about it
Its mainly web servers that can be exploited. Don't see too many of these on OS X.
http://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-bug-apple-says/
Last edited:
GreGorGy
BULLSFAN
Or we have it covered and find no need to wet our pants about it
http://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-bug-apple-says/
I have to wonder what they mean by "advanced" though? Starting apache? Configuring PHP? Downloading software that may or may not rely on shells to do the work (several movie rippers and format shifters do just this, for example).
Probably thank you letters off to Apple headquarters right now thanking them for the thoughtful new feature
Or we have it covered and find no need to wet our pants about it
Its mainly web servers that can be exploited. Don't see too many of these on OS X.
http://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-bug-apple-says/
I dont believe this. What if there is a browser exploit that manages to access bash?
Is there ? There is a lot of speculation about this. The only thing we know for sure is that systems running bash can be tricked into kicking off a child's bash process. This requires an already authenticated bash process to be already running. Currently it's only services which can do this that we aware of. The most common is a web server, because it can exec bash scripts through cgi, php etc.
So far as I know Safari doesn't support bash and most Mac users use Safari. I don't know about chrome and Firefox. Any risk from a browser is no different to existing risk of clicking dodgy links.
GreGorGy
BULLSFAN
Wow - my CM7 android is vulnerable, although default is sh but going to bash and then typing it out does indeed respond as expected.
Is it Android that is vulnerable or the system used to deploy android, because it uses bash. Although the vulnerability could be used to get a worm into your system which could then do them do some damage to your Android deployed code ?
GreGorGy
BULLSFAN
Dunno - but I have an old HTC with CM7 on it. Started it up and started its terminal. Default is sh. Shelled to bash and entered that rogue piece and results were as expected.
GreGorGy
BULLSFAN
https://blog.fortinet.com/post/are-ios-and-android-vulnerable-to-the-shellshock-bug
Seems more reading is required.
Seems more reading is required.
ocky
Well-Known Member
To test if your version affected by the original vulnerability:
If you get the output "hacked", you're affected.
test="() { echo Hello; }; echo hacked" bash -c ""
In order to test if your version only got the incomplete first fix:
X='() { function a a>\' bash -c echo; [ -e echo ] && echo "hacked"
If you get the output "hacked", you're affected.
test="() { echo Hello; }; echo hacked" bash -c ""
In order to test if your version only got the incomplete first fix:
X='() { function a a>\' bash -c echo; [ -e echo ] && echo "hacked"
Pada
Executive Member
Has anyone perhaps been able to use the exploit via DHCP yet?
Like I tried on Fedora Core and CentOS and their DHCP clients seemed to do some basic alphanumeric checks on like the domain name field, so it never set the malicious fields as an environmental variable...
Like I tried on Fedora Core and CentOS and their DHCP clients seemed to do some basic alphanumeric checks on like the domain name field, so it never set the malicious fields as an environmental variable...
Remember that systems are only vulnerable if it's possible to remote to them. To be able to exploit this, an attacker needs to establish an authenticated session. Apple have recommended that Mac users disable remote logins until this is patched. For servers this is not the best news, but if you aren't operating a server, then you probably should take this precaution asap.