167 matches found
bash -- remote code execution
Note that this is different than the public "Shellshock" issue. Specially crafted environment variables could lead to remote arbitrary code execution. This was fixed in bash 4.3.27, however the port was patched with a mitigation in 4.3.252...
bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell...
Hackers Using 'Shellshock' Bash Vulnerability to Launch Botnet Attacks
Researchers on Thursday discovered a critical remotely exploitable vulnerability in the widely used command-line shell GNU Bourne Again Shell Bash, dubbed "Shellshock" which affects most of the Linux distributions and servers worldwide, and may already have been exploited in the wild to take over...
bash: off-by-one error in deeply nested flow control constructs
An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash...
bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell...
Apple Says OS X Safe By Default Against Bash Vulnerability
Apple is trying to soothe users who are anxious about Mac OS X’s exposure to the Bash vulnerability. The company said in a statement to Threatpost that most Apple users are not at risk, and reports have it that Apple is preparing to release a patch. “With OS X, systems are safe by default and not...
USN-2363-2 bash vulnerability
USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch for CVE-2014-7169 didn't get properly applied in the Ubuntu 14.04 LTS package. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Tavis Ormandy discovered that the security fix for...
bash: off-by-one error in deeply nested flow control constructs
An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash...
bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell...
GNU Bash Environment Variable Command Injection Vulnerability
On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is...
CVE-2014-7187
Off-by-one error in the readtokenword function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service out-of-bounds array access and application crash or possibly have unspecified other impact via deeply nested for loops, aka the "wordlineno" issue...
UBUNTU-CVE-2014-7187
Off-by-one error in the readtokenword function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service out-of-bounds array access and application crash or possibly have unspecified other impact via deeply nested for loops, aka the "wordlineno" issue...
UBUNTU-CVE-2014-7186
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service out-of-bounds array access and application crash or possibly have unspecified other impact via crafted use of here documents, aka the "redirstack" issue...
Ubuntu 14.04 LTS : Bash vulnerability (USN-2363-2)
The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2363-2 advisory. USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch for CVE-2014-7169 didn't get properly applied in the Ubuntu 14.04 LTS package. This upda...
Ubuntu 14.04 LTS : Bash vulnerability (USN-2363-1)
The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2363-1 advisory. Tavis Ormandy discovered that the security fix for Bash included in USN-2362-1 was incomplete. An attacker could use this issue to bypass certain environment...
USN-2363-1 bash vulnerability
Tavis Ormandy discovered that the security fix for Bash included in USN-2362-1 was incomplete. An attacker could use this issue to bypass certain environment restrictions. CVE-2014-7169...
Bash Vulnerability Exploits Dropping DDoS Bots
A honeypot run by researchers at AlienVault Labs has snared two separate pieces of malware attempting to exploit the Bash vulnerability. One sample is a repurposed IRC bot written in Perl that is trying to build a botnet to be used in distributed denial of service attacks DDoS, said Jaime Blasco,...
Bash Botnet Exploit Found, Bash Patches Incomplete
The urgency to patch systems against the Bash zero-day vulnerability has been cranked to 10 after reports of an exploit in the wild have been made public by AusCERT, the Computer Emergency Response Team of Australia. This seems to reflect a similar finding posted by a researcher who goes by the...
Exploit for OS Command Injection in Gnu Bash
shellshockscanne...
DEBIAN-CVE-2014-7169
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the...