Hmm. Is root privs escalation part of shellshock? If not, then I think this is just going to try to yum update or apt-get update as the www-data user / nobody user / apache user / you get the idea.
Anyone who's running their web server as a user with enough privileges to run package installs unattended is probably in for a worse fate than an unexpected bash update, I imagine...
No, there is no local privilege escalation. So at best this can hit the four machines in the world that run bash CGI scripts as root.
Also, their apt-get command is incorrect. apt-get update updates the local repo cache, apt-get -yy install bash will upgrade the bash package. So now they're down to two of the four machines, the ones that run RHEL.
All their exercise has done is to land their crawler IPs on some lists of IPs attempting to exploit this vulnerability. I don't think that will help them any with their business.
6 comments
[ 0.45 ms ] story [ 26.1 ms ] threadAnyone who's running their web server as a user with enough privileges to run package installs unattended is probably in for a worse fate than an unexpected bash update, I imagine...
Also, their apt-get command is incorrect. apt-get update updates the local repo cache, apt-get -yy install bash will upgrade the bash package. So now they're down to two of the four machines, the ones that run RHEL.
All their exercise has done is to land their crawler IPs on some lists of IPs attempting to exploit this vulnerability. I don't think that will help them any with their business.