Shellshock PuTTY

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm running Windows 7 64-bit.
I have 3 websites on the same Linux or Unix server (not sure which).

I'm wondering if my Windows computer is vulnerable via Shellshock when using Putty 0.63...

...or if my webhost is vulnerable.

Looks like I can test like this: ?

Would I use Putty for that?
If so, am I at risk while using Putty?
Should I ask my webhost for permission before testing?


Re: Shellshock PuTTY writes:
Quoted text here. Click to load it

(1) Your Windows computer probably isn't running bash. The vulnerability
is in bash.
(2) PuTTY cannot set environment variables on the client system in
response to anything from the network; so even if your Windows system
*is* running bash somewhere (say as part of Cygwin), PuTTY is not a
vector by which tainted environment variables can propagate to it.

Quoted text here. Click to load it

That's another matter, of course.

Quoted text here. Click to load it

For some of these tests you'd need shell access; if you've got it, PuTTY
is one way of using it.

Quoted text here. Click to load it

See above for risk to your client system.

It's unlikely that PuTTY would be a vector for bad environment variables
to get to the server, either. While PuTTY can request servers to set
environment variables if explicitly configured to, and other data PuTTY
sends can be a Shellshock vector (e.g. terminal type, command), an
attacker would basically have to already be in control of your client
system to set these, and if that's the case there are much easier things
they can do.

Quoted text here. Click to load it

That's between you and your webhost.

That said, if you have shell access, then I'd be surprised if they'd
object to the simple tests that check bash's response to exported
functions and so on; these don't of themselves cross a privilege

You should probably be wary of downloading and running shell scripts
from the Internet to test this.

Site Timeline