[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Fri, 26 Sep 2014, Jay Bennie wrote:
On 26 Sep 2014, at 09:39, Gordon Henderson <gordon+lug@xxxxxxxxxx> wrote:On Fri, 26 Sep 2014, Tom wrote:No - you cant blame a dodgy door latch because people cant be bothered to use the safe they have!If only it were as simple as that. So on the surface home PCs, etc. are fine - no need to wory about them for now.But servers... There are now so many attack vectors it's hard to keep track. The obvious one (in this case) is a CGI program written in BASH. The not so obvious ones are ones written in PHP/C/PERL/Python, etc. where you think you're OK, but if you call system(), popen(), use the 'backticks' operators, or even functions in languages that let you pipe to a program (e.g. fd = fpopen ("|/usr/bin/sendmail -t") sort of thing), then there is a good chance you're vulnerable as BASH is typically used there and each process inherits the environment variables and BASH will parse those variables and if they contain a function tail, it will execute it.I thought this was the reason the apache account is run with a shell of /bin/false - so you can't get a user type shell under the running apache user.and invoked as su - c /bin/...path to apached startup script to ensure there are no environment variables except the ones set in the startup.
If only it worked that way.The shell field in /etc/passwd only applies to logins. If your PHP program running under Apache does a system(), popen() or uses `backticks` then the current environment will be passed into the thing that Apache runs to launch your program. The thing Apache runs is /bin/sh
Even in a C program, system() uses /bin/sh.And it turns out a lot of Linux systems just link /bin/sh to /bin/bash. Game over.
Debian gave you the option at version 6 onwards to use bash or dash. Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq