oss-security - Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <CALx_OUDULLHLLVkm6nUTujcn0Gm56YoLdV_KOPhPi-byrnZa0w@mail.gmail.com>
Date: Sun, 5 Oct 2014 00:33:40 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of
 Concept Code

> < https://github.com/mubix/shellshocker-pocs >

I mentioned this earlier on another thread, but I would really warn
people about relying on this unless they really understand what's
going on.

At a quick glance, CVE-2014-6271 and CVE-2014-7169 test cases will
stop working with Florian's patch (probably fine, since even if you
don't have patches for these bugs, you're at almost no risk). At the
same time, the test case for CVE-2014-7186 will claim that you're
vulnerable even with Florian's patch. Next, the test case for and
CVE-2014-7187 will probably always claim that you're vulnerable, even
if you have the patch installed (haven't tested, but looks that way).
And finally, the test cases for CVE-2014-6277 and CVE-2014-6278 are
incomplete and won't work if pasted as-is - you'll just get a syntax
error.

/mz

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.