[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 26 Sep 2014, at 10:45, Gordon Henderson <gordon+lug@xxxxxxxxxx> wrote: > On Fri, 26 Sep 2014, Jay Bennie wrote: > >> >> On 26 Sep 2014, at 09:39, Gordon Henderson <gordon+lug@xxxxxxxxxx> wrote: >> >>> On Fri, 26 Sep 2014, Tom wrote: >>> >>>> No - you cant blame a dodgy door latch because people cant be bothered to use >>>> the safe they have! >>> >>> If only it were as simple as that. >>> >>> So on the surface home PCs, etc. are fine - no need to wory about them for now. >>> >>> But servers... There are now so many attack vectors it's hard to keep track. The >>> obvious one (in this case) is a CGI program written in BASH. The not so obvious >>> ones are ones written in PHP/C/PERL/Python, etc. where you think you're OK, but >>> if you call system(), popen(), use the 'backticks' operators, or even functions >>> in languages that let you pipe to a program (e.g. fd = fpopen >>> ("|/usr/bin/sendmail -t") sort of thing), then there is a good chance you're >>> vulnerable as BASH is typically used there and each process inherits the >>> environment variables and BASH will parse those variables and if they contain a >>> function tail, it will execute it. >>> >> >> I thought this was the reason the apache account is run with a shell of >> /bin/false - so you can't get a user type shell under the running apache user. >> >> and invoked as su - c /bin/...path to apached startup script to ensure there are >> no environment variables except the ones set in the startup. > > If only it worked that way. > > The shell field in /etc/passwd only applies to logins. If your PHP program running > under Apache does a system(), popen() or uses `backticks` then the current > environment will be passed into the thing that Apache runs to launch your program. > The thing Apache runs is /bin/sh > > Even in a C program, system() uses /bin/sh. > > And it turns out a lot of Linux systems just link /bin/sh to /bin/bash. Game over. > humm - yes ....bollox ... its going to be a busy weekend. already patching my first compromised router - a Cisco Linksys ... when awol lunch time yesterday after 5 years of solid service... > Gordon > > -- > The Mailing List for the Devon & Cornwall LUG > http://mailman.dclug.org.uk/listinfo/list > FAQ: http://www.dcglug.org.uk/listfaq -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq