Archive for the ‘Uncategorized’ Category

Shell-Shock aka BashBug

Posted: October 8, 2014 in Uncategorized

CVE-2014-7169 – Bash specially-crafted environment variables code injection attack

I wrote this couple of weeks ago, however due to the very busy schedule I had no access to the doc as it was on a different device, however here we go..

You don’t get CVSS v2 Base Score rating 10.0 vulnerabilities very day, and this is that moment you get some bad ass ones like that. If you running the following (please refer to the link )bash version you might be vulnerable,

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

To check the running bash version do as follows;

root@ubuntu:~# bash –version
bash –version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

if you need more info go with /bin/bash -v

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables.
If you want to see your system is vulnerable for this bug run the following command. If it’s vulnerable you know what to expect on the screen right? 😉

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
env x='() { :;}; echo “Bagbash: ” $(</etc/passwd)' bash -c "echo this is a test"
curl -v -A '() { :;}; echo "Bagbash: " $(</etc/passwd)' http://IP_or_FQDN/cgi-bin/status

"Bagbash: " $(</etc/passwd)'

If you see that; go patch your self! (Well you have other alternatives too, but easier one would be patching I believe) Go, coz you have an msf exploit for this already. To upgrade the systems there are many ways right, I'm not interested in how you want to update it but you can try following;

$ sudo apt-get update
$ sudo apt-get dist-upgrade

After you patched your systems or if its not vulnerable you should see an error importing function definition for `x' when you run the above test case.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Once again, Happy Patching!!

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://seclists.org/oss-sec/2014/q3/649

Advertisements
fire 

New research conducted by SplashData revealed that “password” isn’t the dumbest password choice around anymore, as it has been replaced by “123456,” for the past year. However, “password” fell only one position compared with 2012, basically switching places with “123456.” The list of weak passwords includes various other obvious combinations such as “qwerty,” “iloveyou,” “1234,” “111111” and “000000.” Passwords such as “adobe123” or “photoshop” also made the top 20, revealing that many Internet users may choose passwords that are similar to the services they’re logging into.

“Seeing passwords like ‘adobe123’ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing,” SplashData CEO Morgan Slain said. “Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies.”

The popularity top of bad log in security choices among Internet users has been compiled using data from lists of hacked accounts containing millions of stolen passwords posted online last year. The top 25 worst passwords of 2013 follows below.

splash-data-worst-passwords-2013-2

 

The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)