"Shell Shock" Cure for all pre-October 2014 Pups

For discussions about security.
Message
Author
jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#16 Post by jamesbond »

rcrsn51 wrote:So there is ZERO need for a Puppy user to patch his/her version of bash. Unless, as Geoffrey said above, they are running a server exposed to the world.

Since my router has a decent password on it, I cannot see how this bug makes it any less secure.
Good point. See https://access.redhat.com/articles/1200223, the "Common Configuration examples" section. The only thing which is probably vulnerable is CUPS - assuming that the CUPS webserver is open for everybody for attack. For some others who do remoting a lot, SSH may be a vector. The other likely problem is "dhclient", but puppies don't use dhclient, they use "dhcpcd" instead. I wonder whether dhcpcd has similar env issues like dhclient.
Exactly. Instead testing to see if the bash bug makes you vulnerable to YOURSELF, you should try attacking some other device on your network that runs a web server, like a wireless printer.
Did you read about a guy who made this Canon printer plays Doom (no, I'm not joking - he actually compromised the printer's firmware and upload Doom game to it :lol: )
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#17 Post by watchdog »

I think the real point is that you can't trust the whole internet (how many unpatched linux servers are there?) for serious tasks such as home-banking and e-commerce. I use internet to play but I fear to use it for serious tasks even business e-mails. I stopped using debit cards on internet after many frauds. I trust my online bank only beacause I hope they are more scrupolous than me in ai security measures. I patch my puppy but the problem is out there.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#18 Post by rcrsn51 »

The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
If you are getting your IP address from a malicious DHCP server, you probably have bigger problems than shellshock.

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#19 Post by jamesbond »

rcrsn51 wrote:
The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
If you are getting your IP address from a malicious DHCP server, you probably have bigger problems than shellshock.
Sometimes you don't have control over which DHCP server you use (e.g. when you use free wifi from McDonalds or the like). If they are infected, then they can get to your laptop to. At the end of the day, like everything in life, the risks depend one your lifestyle 8)
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#20 Post by rcrsn51 »

jamesbond wrote:Sometimes you don't have control over which DHCP server you use (e.g. when you use free wifi from McDonalds or the like). If they are infected, then they can get to your laptop to.
True. But is there any evidence that updating your own bash would protect you? A more likely scenario is that they would give you an IP address on a malicious network that would try to harvest your personal information.

User avatar
Moose On The Loose
Posts: 965
Joined: Thu 24 Feb 2011, 14:54

Re: "Shell Shock" Cure for all pre-October 2014 Pups

#21 Post by Moose On The Loose »

mikeslr wrote:September 27, 2014 edited

But if you must use Wine, might I suggest that you setup a separate Puppy just for those things you can't live without. I doubt it will use up more than a couple of Gbs of your hard-drive, even with shinobar's "uncompressed" wine-portable. Or install that Pup to a USB-Key.

mikesLR

Linear technologies LTSpice running under wine seems to be quite safe. The only time it does any network actions is when you update it and the server it goes to is only the expected one. It never fires off any sort of script.

ExpressPCB works under wine but you can't use the built in submit function or the pricing downloader. You have to do these actions manually with your web browser.

The Windows version of Kicad seems to be safe even though it could fire off an external script. You can set the script to be disabled.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#22 Post by mikeb »

so for the shellshock tests you have to allow a remote site to give you a script to then run it on your machine...hmm

easier.... I will setup a script that has rm -rf / and give anyone the link ...feel free to download it and run it using curl.

Now how does someone attack my bash deficient machine I am sat on here?

Bash on windows... still waiting on that one.

mike

User avatar
6502coder
Posts: 677
Joined: Mon 23 Mar 2009, 18:07
Location: Western United States

#23 Post by 6502coder »

mikeb wrote: Bash on windows... still waiting on that one.
mike
Well, of course mikeslr overstated things when he said ALL operating systems are affected. Shellshock doesn't affect Windows machines, except perhaps for ones running Cygwin or some other "Linux/Unix on Windows" tool.

I know you know that and were just being humorous, but perhaps not everyone caught that.

BTW mikeslr also got carried away in implying that all routers are vulnerable. Not all routers use Linux. My venerable Linksys router doesn't.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#24 Post by mikeb »

Thats ok...it was all just getting so seriously miserable and this forum seemed a bit lacking in humour...I like a good laugh even though my bruised rib does not ...then I laugh at my inability to laugh out loud and end up silently doing it on the inside while pulling strange faces....
The pain and the pleasure.

So how would a router be attacked.... does this not require forcing the running of software? How would the router be found when stealthed...how to get past the login...how to alter the firmware once in? Why not just infect windows via OE and IE? Why did ice cream and chip butties make us feel sick?

On balance life seems to have more questions than answers.

mike

User avatar
mikeslr
Posts: 3890
Joined: Mon 16 Jun 2008, 21:20
Location: 500 seconds from Sol

Anti-BASH-Bug Pets are now available for all Pups (I think)

#25 Post by mikeslr »

Hi All,

The purpose of my initial post was to alert "Beginner's" of a potential problem. Perhaps I overstated the threat. But at the time it was being reported in the media as a serious one, and knowledgeable Devs in the "major" Linux distros were working to develop a fix. Which suggested to me, at least that, a fix would be available shortly. Of course, with a couple hundred million personal computers and computing devices out there, the chance that any one person's computer would be targeted by a hacker able to exploit the then flaw in Bash was negligible. The same is true of your house being struck by lightening, but they still built houses with lightening-rods. And the chances of someone trying to hack sensitive data on your device being small in any event, why bother to have fire-walls on your router and personal fire-walls on those devices? And if you think having such fire-walls is a prudent precaution, would you still think so knowing that they might have been built using a version of BASH which was compromised?
Nightmare Scenario: Exploit the hole in servers to send out a command --exploiting the holes in routers and firewalls -- to gather data stored on all unprotected computing devices accessing such servers. And don't tell me that the criminal organizations in Russia, China and the Ukraine don't have the funds to purchase sufficient storage space for all that data.
At any rate, 11 days have passed, and as far as I can tell there are now pets available for all Pups plugging the hole in BASH. Get them here: http://murga-linux.com/puppy/viewtopic. ... 075#801075. Better safe than sorry.

mikesLr

p.s. I know nothing about how Windows functions. The initial reports did not exclude Windows from the threat. Microsoft was silent for days. Like a couple million other people in the States, my router is supplied by Verizon. I don't know what the hell it uses as an operating system. Does anyone?
Last edited by mikeslr on Sat 20 Dec 2014, 00:48, edited 1 time in total.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#26 Post by mikeb »

Nothing personal in my remarks and I appreciate you have good intentions...
being reported in the media as a serious one,
hmm perhaps an important factor since the media seem to be the main source of all things worrying and that same media don't even mention that windows is not part of the problem is to me shows the media to be a pretty irresponsible and unreliable source of information ...generally.
Their main purpose is to make money and sensationalism is their main tool....
Those same delightful members of society have little old ladies living in fear daring not to leave their homes or even open the front door....ask any high ranking police officer and they will inform you that threats to that segment of the population are rare.

Russia, China and the Ukraine
no evil organizations in the USA, UK or wherever...I can think of one major one for starters!!!

Anyway the picture of some seedy hacker sat in some crummy flat after YOUR dosh is another merry picture painted by seedy journalists. As mentioned a stealthed router is not exactly easy to find. emails and websites on the other hand are easy to harvest and add exploits too...and microsoft provide the easy mechanisms to do so.... so why bust a gut trying to work some obscure BASH joke funny to get at individuals?

mike

rokytnji
Posts: 2262
Joined: Tue 20 Jan 2009, 15:54

#27 Post by rokytnji »

Code: Select all

/*
	GNOT General Public License
  (c) 1981 - 2014  Microsoft Corporation
*/

#include "dos.h"
#include "win95.h"
#include "win98.h"
#include "sco_unix.h"
#include "win7.h"

class Windows10 extends Windows7 implements nothing
{}

int totalNewFeatures = 3;
int totalWorkingNewFeatures = 0;
float numberOfBugs = 345889E+08;
boolean readyForRelease = FALSE;

void main() {

	while (!crashed) {
		if (first_time_install) {
			if ((installedRAM < 4GB) || (processorSpeed < 8GHz)) {
				MessageBox("Hardware incompatability error");
				GetKeyPress();
				BSOD();
			}
			Make10GBSwapfile();
			SearchAndDestroy(FIREFOX|LIBREOFFICE|ANYTHIN_GOOGLE);
			AddRandomDriver();
			MessageBox("Driver incompatibility error");
			GetKeyPress();
			BSOD();
		}
		
		//printf("Welcome to Windows98");
		//printf("Welcome to WindowsXP");
		//printf("Welcome to Windows7");
		printf("Welcome to Windows10");
		
		if (still_not_crashed){
		
			CheckUserLicense();
			DoubleCheckUserLicense();
			TripleCheckUserLicense();
			RelayUserDetailsToRedmond(everything);
			
			DisplayFancyGraphics();
			FlickerLED(hard_drive);	
			RunWindows7();
		}
	}return LotsOfMoney;
}
Look to the source, Luke.

I find it funny when any thing makes linux look like it is failing and chicken little starts squeaking. Chicken Little usually getting a check cut by Redmond. No. I have no links to prove this. No. I am not being serious.

Just trying to make mikebs' ribs hurt a little. :)

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#28 Post by mikeb »

Just trying to make mikebs' ribs hurt a little.
hey....
they are finally calming down so its off back on the water to do it again :D

I am a gluten for punishment .

I was exited today to get a fire extinguisher in the post.... looks like a great weapon for self harming purposes...

mike

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#29 Post by greengeek »

mikeb wrote:Bash on windows... still waiting on that one.
Just had a discussion about this with the gurus at work and the consensus is that business corporates that use Windows are keeping quiet about their potential bash exposure in order not to freak out their users. Only a small percentage of Windows users will be exposed but apparently cygwin is one likely vector:
https://www.cygwin.com/

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#30 Post by mikeb »

hmm more a cygwin issue then...dont think MS can be held responsible for third party software.

Now if you were talking Services For Unix that would be different but not sure of the current status of that one....seems to be a littl hazy after XP.

mike

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

Re: Anti-BASH-Bug Pets are now available for all Pups (I think)

#31 Post by greengeek »

mikeslr wrote:At any rate, 11 days have passed, and as far as I can tell there are now pets available for all Pups plugging the hole in BASH. Get them here: http://murga-linux.com/puppy/viewtopic. ... 075#801075
Mike, as far as I can tell the pet version listed at that thread for slacko 32 bit is outdated. SFR mentions the newer pet on his post here

Puppies other than slacko 32bit I have not investigated.

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

SFRs pup outdated too

#32 Post by ozsouth »

The link above is now outdated. Slacko 32 bit now needs this pet:

http://smokey01.com/OscarTalks/bash-4.2 ... ko14.0.pet

User avatar
Karl Godt
Posts: 4199
Joined: Sun 20 Jun 2010, 13:52
Location: Kiel,Germany

#33 Post by Karl Godt »

Code: Select all

User@User-PC /tmp
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

User@User-PC /tmp
$ x(){ :; }; echo vulnerable ;  bash -c "echo this is a test"
vulnerable
this is a test
I am using bash 4.x on cygwin right now that i installed from local repo.
The repo was setup very long ago ..

To me the do nothing function code seems like a big joke ...

Code: Select all

User@User-PC /tmp
$ echo $BASH_VERSION
4.1.10(4)-release

User@User-PC /tmp
$ cd C:

User@User-PC /cygdrive/c
$ ls
$Recycle.Bin                     IO.SYS
autoexec.bat                     mbr.win.orig.bs1
Boot                             mbr.win.orig.bs512
bootmgr                          menu.lst
BOOTSECT.BAK                     menu.lst-Grub4dosMade
config.sys                       MSDOS.SYS
«Give me GUI or Death» -- I give you [[Xx]term[inal]] [[Cc]on[s][ole]] .
Macpup user since 2010 on full installations.
People who want problems with Puppy boot frugal :P

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Re: SFRs pup outdated too

#34 Post by rufwoof »

ozsouth wrote:The link above is now outdated. Slacko 32 bit now needs this pet:

http://smokey01.com/OscarTalks/bash-4.2 ... ko14.0.pet
Thanks

Installed, remastered, and as per https://shellshocker.net/ ......
Attachments
ss.png
(73.56 KiB) Downloaded 207 times

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#35 Post by Semme »

In the event your PPM isn't up to date, Ubuntu based pkgs >> https://launchpad.net/ubuntu/+source/bash
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<

Post Reply