Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAM12Q5T3+sxXaoO0siMYfMroZUcWLQEzb4N0NwcUA6UVLEkCow@mail.gmail.com>
Date: Sun, 5 Oct 2014 04:38:15 -0700
From: Jose R R <Jose.r.r@...ztli-it.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshocker - Repository of "Shellshock" Proof of
 Concept Code

Hanno,

< https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >

I've downloaded your bash test script and executed it against a Debian
7 (Wheezy) -patched system (upper image)

as well as a local Debian Sid (unstable) build of bash where I applied
the October 02, 2014, bash43-029 (Bottom image)

< https://pbs.twimg.com/media/BzLfeIICQAA30vb.png:large >

Thus agreeing with Sona: "but I think what most (non-expert) people
need is an explanation for each CVE, a set of test case from some
reliable source (preferably a script that runs all test cases and
shows vulnerable/not-vulnerable status) and a set of patches. So that
they can apply the patches, run the tests and assert that their
systems are not vulnerable to shellshock anymore."

On Sun, Oct 5, 2014 at 3:51 AM, Hanno Böck <hanno@...eck.de> wrote:
> Am Sun, 5 Oct 2014 10:22:06 +0000
> schrieb Sona Sarmadi <sona.sarmadi@...a.com>:
>
>> 3) Do you have a script or summary of all tests in one place like
>> http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 or
>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck ?
>> Or maybe these are good enough & reliable?
>
> This is my script and I think what it does in the current version is
> the reasonable thing to do:
> It will first test if function importing old style is enabled and if
> yes it will warn about that, if it is disabled or any of the prefixing
> solutions is enabled then it will say so.
>
> All further test outputs for all 6 CVEs depends on that. If the old
> function import is enabled warnings will be shown in red, because then
> people are in real danger. If function importing is disabled or
> prefixed the warnings will look less scary and clearly state
> "non-explitable".
>
> I think this is reasonable. I regret that previous versions of my
> script showed a  more scary output even if people weren't really in any
> danger because prefixing was already enabled.It was even
> referenced in a number of inaccurate media reports.
>
>
>
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno@...eck.de
> GPG: BBB51E42

Best Professional Regards.

-- 
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
NEW Apache OpenOffice 4.1.1! Download for GNU/Linux, Mac OS, Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada ends: Sunday, November 02, 2014
---------------------------------------------------------------------------------------------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.