Mu [was: How worse is the Shellshock bash bug than Heartbleed?]
Georgi Guninski
guninski at guninski.com
Wed Oct 1 08:05:41 PDT 2014
On Wed, Oct 01, 2014 at 07:04:19AM -0700, coderman wrote:
> On 10/1/14, Georgi Guninski <guninski at guninski.com> wrote:
> > ...
> > Suspect this is just the top of the shellshock iceberg:
> > http://www.theregister.co.uk/2014/09/30/openvpn_open_to_shellshock_researcher/
> > OpenVPN open to pre-auth (in certain configurations).
>
> if you are using any of the up, down, ipchange, route-up, tls-verify,
> auth-user-pass-verify, client-connect, client-disconnect, or
> learn-address scripts with openvpn you are not operating in a security
> conscious manner.
>
> to reiterate, in case anyone missed it: exposing a shell to untrusted
> inputs is insanity. this is true even if you manage to make your
> environment variable sanitization apparently robust.
>
>
OK :) Tell this to djb, qmail local delivery was allegedly affected ;)
Cheers
> > Btw, people scared by HB probably will get close to clinically
> > paranoid if the next HB allows "write anywhere" ;) { :; } ;)
>
> part of my intent was to convey that heartbleed easily leads to
> arbitrary exec; even if not directly so ala shellshock.
>
> so agree to disagree indeed; thus far heartbleed has medical pwnage
> and altcoin pilferage to credit, while shellshock is a farce of
> consumer crap and sloppy run yawn vulns; the mythical wide worm yet to
> materialize...
>
> due time will tell, of course! :P
>
>
> best regards,
More information about the Testlist
mailing list