1. gg bb's Avatar
    Just in case any ones interested.
    BB10 uses sh and ksh but not bsh or bash
    Apple and Android have bash and will be vulnerable to this "shellshock" nasty jibbly thats been about the news a lot.
    09-26-14 10:57 AM
  2. Chanlion's Avatar
    http://www.theregister.co.uk/2014/09...sh_shell_vuln/
    Try running the script in a QNX shell.
    Last edited by Chanlion; 09-26-14 at 12:41 PM.
    09-26-14 11:58 AM
  3. gg bb's Avatar
    Might possibly be, QNX is a Unix like system. But correct me if I'm wrong but the bash shells don't work in
    QNX so it'll be unaffected. Correct me if I'm wrong people. I'm not 100% sure about the first part.
    I'm pretty sure your right. From the example vulnerability test which show bb10 not vulnerable -It's a code insertion exploit as far as I can understand it. Relies on exploiting root commands which can be invoked from apps but are limited by their function but can be tricked into performing other commands using the exploit.
    A rooted Android phone probably already has far worse vulnerability.
    Looks like it could be used to root an I phone?
    09-26-14 12:51 PM
  4. Richard Buckley's Avatar
    Bash could certainly be compiled to run on QNX, and probably has been by some one. But it is not installed on BB10 unless the user does that themselves. This alone is enough for BB10 to not be vulnerable even if a "vulnerable" version of Bash is installed.

    The issue is not really a bug, it's a feature, though one with limited legitimate use. The problem comes from programs with some privileged access using Bash without cleansing the environment. This is no different than programs using any user input without cleansing it first.

    http://xkcd.com/327/

    This is one reason System V had /sbin/sh which was used in all the places the use of Bash is causing problems today. It is the age old tension between security and convenience. It was more secure to do it the SVID way but few people took the time to find out why, and it is much easier to use Bash which is more powerful.

    I stick with BlackBerry because it is a company that is willing to do things the hard way to provide security to their customers.

    Posted via CB10
    09-26-14 06:27 PM
LINK TO POST COPIED TO CLIPBOARD