SGI: Security

Shellshock - Page 1

pentium avatar
pentium
From Kamloops, BC
Who joined Aug. 28, 2006, 6:29 p.m.
Wrote the following at Sept. 25, 2014, 8:56 a.m...
Now that the word is out about this absolutely massive bash exploit, should any of us folks still running Irix machines on the net be at all concerned?

An article on it.
:Crimson: :Onyx: :O2000: :O200: :O200: :PI: :PI: :Indigo: :Indigo: :Indigo: :Octane: :O2: :1600SW: :Indigo2: :Indigo2: :Indigo2IMP: :Indigo2IMP: :Indy: :Indy: :Indy: :Cube:

Image <-------- A very happy forum member.
duck avatar
duck
Donor
From Jakobstad, Finland
Who joined Oct. 27, 2003, 5:22 p.m.
Wrote the following at Sept. 25, 2014, 9:59 a.m...
Only on two cases:

The specific: If you use a bash script for CGI
The general: If you've replaced /bin/sh with bash

I'll add that the exploit-tests I've seen in my logs are using ping to test if it works; ours is in /usr/etc and AIUI that's not in the default path so even if you're vulnerable it wouldn't trigger the scriptkiddies at least.
:Octane: halo , oct ane Image knightrider , d i g i t a l AlphaPC164, pond , soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.
ClassicHasClass avatar
ClassicHasClass
Donor
From Sunny So Cal
Who joined July 25, 2012, 7:12 p.m.
Wrote the following at Sept. 25, 2014, 1:58 p.m...
You're more cooked if you're on a system where /bin/sh == /bin/bash. OS X is such a system. I quickly built a standalone bash for 10.4+ PPC/Intel if you want one of those.

http://tenfourfox.blogspot.com/2014/09/ ... -bash.html

But I think IRIX is very low risk.
smit happens.

:Fuel: bigred , 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy , 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze , 175MHz R10000, Solid IMPACT
probably posted from Image bruce , Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * HP C8000 * BeBox * Solbourne S3000 * Commodore 128 * many more...
VenomousPinecone avatar
VenomousPinecone
Moderator
From Northern Nevada
Who joined June 20, 2005, 2:10 p.m.
Wrote the following at Sept. 25, 2014, 3:45 p.m...
Is your body^H^H^H^H mac ready?

https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html
http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/
josehill avatar
josehill
Moderator
From New England, USA
Who joined June 6, 2005, 9:53 p.m.
Wrote the following at Sept. 25, 2014, 4:06 p.m...
Some additional perspective here - http://www.infoworld.com/article/268787 ... thedeepend
foetz avatar
foetz
Moderator
Who joined April 14, 2003, 4:34 a.m.
Wrote the following at Sept. 25, 2014, 4:34 p.m...
good thing i never liked bash :P
r-a-c.de
ClassicHasClass avatar
ClassicHasClass
Donor
From Sunny So Cal
Who joined July 25, 2012, 7:12 p.m.
Wrote the following at Sept. 25, 2014, 5:59 p.m...
Vulnerability not fully fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23
smit happens.

:Fuel: bigred , 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy , 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze , 175MHz R10000, Solid IMPACT
probably posted from Image bruce , Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * HP C8000 * BeBox * Solbourne S3000 * Commodore 128 * many more...
SAQ
From Renton, WA
Who joined July 19, 2006, 8:37 a.m.
Wrote the following at Sept. 25, 2014, 8:19 p.m...
Why'd they start replacing /bin/sh with BASH anyway? Sun went into depth as to why that was not a good idea (and better to have a static /bin/sh), and it's not like sh added too much bloat to the system.
"Brakes??? What Brakes???"

:Indigo: :Octane: :Indigo2: :Indigo2IMP: :Indy: :PI: :O3x0: :ChallengeL: :O2000R: (single-CM)
hamei
From over the rainbow
Who joined Feb. 24, 2004, 4:10 p.m.
Wrote the following at Sept. 25, 2014, 8:45 p.m...
SAQ wrote: Why'd they start replacing /bin/sh with BASH anyway?

Heathen ! get thee hence, thou Unbeliever !
josehill avatar
josehill
Moderator
From New England, USA
Who joined June 6, 2005, 9:53 p.m.
Wrote the following at Sept. 25, 2014, 8:58 p.m...
SAQ wrote: Why'd they start replacing /bin/sh with BASH anyway? Sun went into depth as to why that was not a good idea (and better to have a static /bin/sh), and it's not like sh added too much bloat to the system.

What are you, some sort of graybeard who knows things and stuff? ;)
ClassicHasClass avatar
ClassicHasClass
Donor
From Sunny So Cal
Who joined July 25, 2012, 7:12 p.m.
Wrote the following at Sept. 25, 2014, 10:36 p.m...
Second patch seems to pass muster:

http://seclists.org/oss-sec/2014/q3/734

I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html
smit happens.

:Fuel: bigred , 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy , 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze , 175MHz R10000, Solid IMPACT
probably posted from Image bruce , Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * HP C8000 * BeBox * Solbourne S3000 * Commodore 128 * many more...
josehill avatar
josehill
Moderator
From New England, USA
Who joined June 6, 2005, 9:53 p.m.
Wrote the following at Sept. 26, 2014, 6:03 a.m...
ClassicHasClass wrote: I updated the OS X universal bash already (10.4-10.9, PPC and x86).
http://tenfourfox.blogspot.com/2014/09/ ... dated.html

Thanks, CHC! I'll load it on some machines today!
robespierre
From Boston
Who joined Sept. 12, 2011, 2:28 p.m.
Wrote the following at Sept. 26, 2014, 6:03 a.m...

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh


fuggeddaboutit....
:PI: :O2: :Indigo2IMP: :Indigo2IMP:
duck avatar
duck
Donor
From Jakobstad, Finland
Who joined Oct. 27, 2003, 5:22 p.m.
Wrote the following at Sept. 26, 2014, 10:04 a.m...
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh


fuggeddaboutit....


On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.
:Octane: halo , oct ane Image knightrider , d i g i t a l AlphaPC164, pond , soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.
VenomousPinecone avatar
VenomousPinecone
Moderator
From Northern Nevada
Who joined June 20, 2005, 2:10 p.m.
Wrote the following at Sept. 26, 2014, 11:11 a.m...
duck wrote: [...]since they first licked a beige box.


Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.
duck avatar
duck
Donor
From Jakobstad, Finland
Who joined Oct. 27, 2003, 5:22 p.m.
Wrote the following at Sept. 26, 2014, 11:23 a.m...
VenomousPinecone wrote: Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.


French-kissing floppy drives is a thing I hadn't yet imagined, but alas it is now quite hard to forget.
:Octane: halo , oct ane Image knightrider , d i g i t a l AlphaPC164, pond , soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.
foetz avatar
foetz
Moderator
Who joined April 14, 2003, 4:34 a.m.
Wrote the following at Sept. 26, 2014, 12:04 p.m...
duck wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh


fuggeddaboutit....


On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.

i did the same on osx but with zsh. might work for linux, too
duck avatar
duck
Donor
From Jakobstad, Finland
Who joined Oct. 27, 2003, 5:22 p.m.
Wrote the following at Sept. 26, 2014, 12:11 p.m...
foetz wrote:
robespierre wrote:

Code: Select all

# ln -f /bin/ksh /bin/sh


i did the same on osx but with zsh. might work for linux, too


That might work better, and osx probably has less of a dependency on it wrt. system scripts.
:Octane: halo , oct ane Image knightrider , d i g i t a l AlphaPC164, pond , soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.
josehill avatar
josehill
Moderator
From New England, USA
Who joined June 6, 2005, 9:53 p.m.
Wrote the following at Sept. 26, 2014, 12:42 p.m...
duck wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh

fuggeddaboutit....

On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.

Yeah, duck is right. I'd be cautious about about simply replacing bash with ksh as "sh" on a production machine, especially if it's a multi-user machine. If you can be sure that every script is limited to basic Bourne functions, you'll probably be okay, but ksh and bash are not 100% interchangeable. They are both supersets of sh functionality, but the extra features do not completely overlap each other, and if anything calls a unique function, the results may be quite unexpected.

There is also the problem of scripts which explicitly call /bin/bash, which is usually the "correct" thing to do if you are using superset functionality.
jan-jaap avatar
jan-jaap
Donor
From Wijchen, The Netherlands
Who joined June 17, 2004, 11:35 a.m.
Wrote the following at Sept. 26, 2014, 1:14 p.m...
Debian has 'dash' as /bin/sh, but of course /bin/bash is there so that won't save you. I just installed the third bash update in 2 days :(
:PI: :Indigo: :Indigo: :Indy: :Indy: :Indy: :Indigo2: :Indigo2: :Indigo2IMP: :Octane: :Octane2: :O2: :O2+: Image :Fuel: :Tezro: :4D70G: :Skywriter: :PWRSeries: :Crimson: :ChallengeL: :Onyx: :O200: :Onyx2: :O3x02L:
To accentuate the special identity of the IRIS 4D/70, Silicon Graphics' designers selected a new color palette. The machine's coating blends dark grey, raspberry and beige colors into a pleasing harmony. ( IRIS 4D/70 Superworkstation Technical Report )