[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] bash vulnerability

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] bash vulnerability
From: Mark Evans <mpe@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Sep 2014 17:37:22 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:References:To:Mime-Version:From:Date:Message-ID; bh=dn1pHcA8HGiIr5w7WuUh/ZooK24KoMSLvT3zL9xuWE0=; b=VUZ3p1jEnJcqMFelmJD4w3guWjx4wNLJSHVKqac6xvz0aA92GfrWjvj5dBF94Srm5AoFHT3fLk/Ml+JA5Cbw9Q+4BTTr+YFkKtQJguWPggwSCNO/33Ljmk1fHdL0Ch5+jYMJnYV/X6LgNdz7fK4qhV2pnmhB/Pw0VdysN4Mca8M=;

On 26/09/14 09:39, Gordon Henderson wrote:

> But servers... There are now so many attack vectors it's hard to keep
> track. The obvious one (in this case) is a CGI program written in BASH.
> The not so obvious ones are ones written in PHP/C/PERL/Python, etc.
> where you think you're OK, but if you call system(), popen(), use the
> 'backticks' operators, or even functions in languages that let you pipe

Most people don't even realise how many of these use some sort of shell.

> to a program (e.g. fd = fpopen ("|/usr/bin/sendmail -t") sort of thing),
> then there is a good chance you're vulnerable as BASH is typically used
> there and each process inherits the environment variables and BASH will
> parse those variables and if they contain a function tail, it will
> execute it.

Is an actual "attack" fairly generic or does it require tailoring to how
the shell is being called?

Debian charged the default /bin/sh to being /bin/dash a while back.
Possibly there are distributions where something other than bash is the
default shell for www-data.

> 
> I'm seeing e.g. this in server log-files:
> 
> 89.207.135.125 - - [25/Sep/2014:07:06:28 +0100] "GET
> /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 292 "-" "() { :;}; /bin/ping
> -c 1 198.101.206.138"

A lookup on 89.207.135.125 is interesting in that it looks to be
intended to just show the domain.
> 
> That's actually a test probe being run by someone trying to go the right
> thing to test servers, but I've also seen attempts to run the eject
> command as well as atempts to fetch/download a trojan program and run it.

I'm wondering why "eject". Since this isn't AFAIK usually setuid root.
> 
> Note where the payload is - for hose not familiar with apache log files,
> that's the Useragent string. It's passed into CGI's as an environment
> variable and if that CGI ever touches BASH, then BASH will execute it.
> 
> So as for not using the "safe"... If your CGI is bash then its too late
> as the environment variables have already been seen (and executed) by it
> before your script actually starts, as for other languages, how many
> people parse and validate all environment variables as a matter of
> course when their CGI starts up?

Probably very few even look for environment variables which arn't of
specific interest. Accessing a CGI as https adds a whole pile of
environment variables over using http.

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

References:
- [LUG] bash vulnerability
  - From: Tom
- Re: [LUG] bash vulnerability
  - From: Matt Stevenson
- Re: [LUG] bash vulnerability
  - From: Eion MacDonald
- Re: [LUG] bash vulnerability
  - From: Roland Tarver
- Re: [LUG] bash vulnerability
  - From: Tom
- Re: [LUG] bash vulnerability
  - From: Gordon Henderson

Prev by Date: Re: [LUG] bash vulnerability
Next by Date: Re: [LUG] bash vulnerability
Previous by thread: Re: [LUG] bash vulnerability
Next by thread: Re: [LUG] bash vulnerability
Index(es):
- Date
- Thread