16 comments

[ 4.6 ms ] story [ 45.3 ms ] thread
I thought this was interesting as a cautionary tale that even tiny open source programs that are widely installed for years can contain critical security exploits. I don't understand the trend of security exploits getting their own website, name and logo though.
This site seems to have been created by a company specializing in giving security exploits their own branding:

"I want to brand my next vulnerability. Can you make a logo for me?

Great idea! Please contact our sales department."

It's definitely not associated with the person who discovered the beep vuln:

"Holey Beep is a community-maintained project for the bug otherwise known as CVE-2018-0492. It is not associated with the Linux Foundation, nor with the original discoverer of this vulnerability. If you would like to contribute go to GitHub."

Strange.

April Fools' was recently. Someone's is making light of the vulnerability names and certain purple going off on these like it is the end of the world.
This is satire, yes? The footer links to https://github.com/dirtycow/dirtycow.github.io , which is a real vulnerability. Further, this is the proof-of-concept from https://holeybeep.ninja/am_i_vulnerable.sh :

    #!/bin/sh
    # TODO: Backdoor this machine?
    modprobe pcspkr
    beep -l 1000 -r 3 -f 44000
The website is tongue-in-cheek but the exploit patch is documented here:

"Debian Security Advisory DSA-4163-1 beep -- security update"

https://www.debian.org/security/2018/dsa-4163

Ah, cool. Thanks for the link! I was confused by the original post.
Apart from confirming the vulnerability, that page doesn't really give any technical info. Does anyone have any details on the problem? It's such a simple program that I'm fascinated by the fact that it has a security vulnerability.

I was looking at the patch that Debian shipped and it seems to me that there was some kind of a race condition when opening the console device multiple times, but I can't figure out the exact source of the problem.

Hah, it is quite surreal what kind of scripts are asked to be curled and piped to a shell. And some users do eithout hesitation, because some website asked them to. Hopefully this pipe to sudo shell joke works as an eye opener to some.
As long as it is over HTTPS and you trust the author, it shouldn't be any different than downloading and running an arbitrary binary from a website.
Apart from partial execution issues.
I figured that the joke was encouraging folks to run unexamined, downloaded shell scripts.