On Wed, Sep 24, 2014 at 11:19 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On Wed, Sep 24, 2014 at 10:03 PM, William Herrin <bill@herrin.us> wrote:
lrwxrwxrwx 1 root root 4 2014-02-22 11:52 /bin/sh -> bash
ROFL. Jimmy, please tell me you had to start up a VM to check that. :)
Not a live system, but aside from honeypots, there really are embedded appliances and companies with websites still in production based on LAMP installations on Etch and Lenny.
Lots of small embedded Linux systems (e.g. your home router), are *not* vulnerable to this particular problem. An quick glance at 6 reasonably current home routers shows all are using the "ash" shell, rather than bash, as it is much smaller and part of busybox, which most of these devices use. That being said, there are many, many other serious vulnerabilities in that class of device, compounded many times over by the fact that most lack any sort of update stream, and usually require manual update, if ever new firmware does become available. Those of you unfamiliar with The Moon worm should familiarize yourself with it. Consider it a shot across our bow.... For those of you who want to understand more about the situation we're all in, go look at my talk at the Berkman Center, and read the articles linked from there by Bruce Schneier and Dan Geer. http://cyber.law.harvard.edu/events/luncheon/2014/06/gettys Jim Gettys