[clug] Security talk and the bash 'shellshock' vulnerability
Carlo Hamalainen
carlo at carlo-hamalainen.net
Fri Sep 26 07:12:18 MDT 2014
On 26/09/14 14:41, Paul Wayper wrote:
> We also talked about the fortuitously timed[1] bash 'shellshock'
> vulnerability. It's a complex beast, since it's difficult to exploit but
> some of the things that can be exploited are exactly the kind of
> internet-facing web service that are already under attack. My own
> understanding is that unless you're running a web server on your home
> machine, then you're really not likely to get attacked with this any
> time soon.
What about DHCP?
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
So you could get done by some nefarious person on your LAN who responds
to a dhcp request before the real server does. Or you could sit at a
cafe with an open wifi AP and dodgy dhcp server and poke devices that
eagerly connect to the unsecured AP.
-- Carlo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/linux/attachments/20140926/f2a118a2/attachment.pgp>
More information about the linux
mailing list