[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] bash vulnerability

To: "list@xxxxxxxxxxxxx" <list@xxxxxxxxxxxxx>
Subject: Re: [LUG] bash vulnerability
From: Jay Bennie <jay@xxxxxxxxxxx>
Date: Fri, 26 Sep 2014 10:50:58 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:To:References:Message-Id:Date:In-Reply-To:From:Mime-Version; bh=8o49/4C4dKjZuAKo+avw36a+TZMMwmsLxd3f7+FVqgY=; b=xzB4kA2cCR/V+PdzRlZv/UTF+5E4pYtHktoDbQPC14G/oU4RBweFk0sMJ15gi/OBpDpKVIA0DJb/1/B6vAKETDGUk12jH84yyuNdx4fT8syH5NEg2hODFHZVb6pfc+P8mkrvK3FMeTOJYLC+pA0Hs9oftmoEuCXu+J88A08MPpY=;

On 26 Sep 2014, at 10:45, Gordon Henderson <gordon+lug@xxxxxxxxxx> wrote:

> On Fri, 26 Sep 2014, Jay Bennie wrote:
> 
>> 
>> On 26 Sep 2014, at 09:39, Gordon Henderson <gordon+lug@xxxxxxxxxx> wrote:
>> 
>>> On Fri, 26 Sep 2014, Tom wrote:
>>> 
>>>> No - you cant blame a dodgy door latch because people cant be bothered to use 
>>>> the safe they have!
>>> 
>>> If only it were as simple as that.
>>> 
>>> So on the surface home PCs, etc. are fine - no need to wory about them for now.
>>> 
>>> But servers... There are now so many attack vectors it's hard to keep track. The 
>>> obvious one (in this case) is a CGI program written in BASH. The not so obvious 
>>> ones are ones written in PHP/C/PERL/Python, etc. where you think you're OK, but 
>>> if you call system(), popen(), use the 'backticks' operators, or even functions 
>>> in languages that let you pipe to a program (e.g. fd = fpopen 
>>> ("|/usr/bin/sendmail -t") sort of thing), then there is a good chance you're 
>>> vulnerable as BASH is typically used there and each process inherits the 
>>> environment variables and BASH will parse those variables and if they contain a 
>>> function tail, it will execute it.
>>> 
>> 
>> I thought this was the reason the apache account is run with a shell of 
>> /bin/false - so you can't get a user type shell under the running apache user.
>> 
>> and invoked as su - c /bin/...path to apached startup script to ensure there are 
>> no environment variables except the ones set in the startup.
> 
> If only it worked that way.
> 
> The shell field in /etc/passwd only applies to logins. If your PHP program running 
> under Apache does a system(), popen() or uses `backticks` then the current 
> environment will be passed into the thing that Apache runs to launch your program. 
> The thing Apache runs is /bin/sh
> 
> Even in a C program, system() uses /bin/sh.
> 
> And it turns out a lot of Linux systems just link /bin/sh to /bin/bash. Game over.
> 

humm - yes ....bollox ... its going to be a busy weekend. 

already patching my first compromised router - a Cisco Linksys ... when awol lunch 
time yesterday after 5 years of solid service... 


> Gordon
> 
> -- 
> The Mailing List for the Devon & Cornwall LUG
> http://mailman.dclug.org.uk/listinfo/list
> FAQ: http://www.dcglug.org.uk/listfaq


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] bash vulnerability
- From: Tremayne, Steve

References:
- [LUG] bash vulnerability
  - From: Tom
- Re: [LUG] bash vulnerability
  - From: Matt Stevenson
- Re: [LUG] bash vulnerability
  - From: Eion MacDonald
- Re: [LUG] bash vulnerability
  - From: Roland Tarver
- Re: [LUG] bash vulnerability
  - From: Tom
- Re: [LUG] bash vulnerability
  - From: Gordon Henderson
- Re: [LUG] bash vulnerability
  - From: Jay Bennie
- Re: [LUG] bash vulnerability
  - From: Gordon Henderson

Prev by Date: Re: [LUG] Bash bug - part 2 - Shellshock - aftershock?
Next by Date: Re: [LUG] bash vulnerability
Previous by thread: Re: [LUG] bash vulnerability
Next by thread: Re: [LUG] bash vulnerability
Index(es):
- Date
- Thread