D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] bash vulnerability

 

On Fri, 26 Sep 2014, Jay Bennie wrote:


On 26 Sep 2014, at 09:39, Gordon Henderson <gordon+lug@xxxxxxxxxx> wrote:

On Fri, 26 Sep 2014, Tom wrote:

No - you cant blame a dodgy door latch because people cant be bothered to use the safe they have!

If only it were as simple as that.

So on the surface home PCs, etc. are fine - no need to wory about them for now.

But servers... There are now so many attack vectors it's hard to keep track. The obvious one (in this case) is a CGI program written in BASH. The not so obvious ones are ones written in PHP/C/PERL/Python, etc. where you think you're OK, but if you call system(), popen(), use the 'backticks' operators, or even functions in languages that let you pipe to a program (e.g. fd = fpopen ("|/usr/bin/sendmail -t") sort of thing), then there is a good chance you're vulnerable as BASH is typically used there and each process inherits the environment variables and BASH will parse those variables and if they contain a function tail, it will execute it.


I thought this was the reason the apache account is run with a shell of /bin/false - so you can't get a user type shell under the running apache user.

and invoked as su - c /bin/...path to apached startup script to ensure there are no environment variables except the ones set in the startup.

If only it worked that way.

The shell field in /etc/passwd only applies to logins. If your PHP program running under Apache does a system(), popen() or uses `backticks` then the current environment will be passed into the thing that Apache runs to launch your program. The thing Apache runs is /bin/sh

Even in a C program, system() uses /bin/sh.

And it turns out a lot of Linux systems just link /bin/sh to /bin/bash. Game over.

Debian gave you the option at version 6 onwards to use bash or dash.

Gordon

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq