BASH; SHELLSHOCK REPORT Early results from my scan: theres about 3000 systems vulnerable just on port 80, just on the root / URL, without Host field. That doesnt sound like a lot, but thats not where the bug lives. Update: oops, my scan broke early in the process and stopped capturing the responses -- its probably a lot more responses that than. Firstly, only about 1 in 50 webservers respond correctly without the proper Host field. Scanning with the correct domain names would lead to a lot more results -- about 50 times more. Secondly, its things like CGI scripts that are vulnerable, deep within a website (like CPanels /cgi-sys/defaultwebpage.cgi). Getting just the root page is the thing least likely to be vulnerable. Spidering the site, and testing well-known CGI scripts (like the CPanel one) would give a lot more results, at least 10x. Thirdly, its embedded webserves on odd ports that are the real danger. Scanning for more ports would give a couple times more results. Fourthly, its not just web, but other services that are vulnerable, such as the DHCP service reported in the initial advisory. Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable -- once the worm gets behind a firewall and runs a hostile DHCP server, that would game over for large networks.
Posted on: Fri, 26 Sep 2014 22:24:27 +0000
Trending Topics
Recently Viewed Topics
© 2015