[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?
Russell Coker
russell at coker.com.au
Fri Sep 26 13:20:42 EST 2014
On Fri, 26 Sep 2014, Ian <ilox11 at gmail.com> wrote:
> The journos are having a field day over the discovery of the
> vulnerabilities in Bash, the vulnerability now called Shellshock. They talk
> of 500million affected sites. Any Apache server is easily taken over. Some
> reporting that the patches not fully safe yet.
wget -U "() { test;};/usr/bin/touch /tmp/VULNERABLE" \
http://www.example.com/cgi-bin/whatever
Above is a test for a vulnerable cgi-bin script courtesy of
https://twitter.com/hernano .
ssh root at localhost "() { :;} ; touch /tmp/ohno"
Above is a test I wrote for ssh where ~root/.ssh/authorized_keys allows access
but with the "command=" option (which sets the original command to the
SSH_ORIGINAL_COMMAND variable). Note that this doesn't do anything useful in
the case where unrestricted ssh access is granted.
If you have bash cgi-bin scripts then an attacker can run arbitrary code as
www-data. As long as you don't run such scripts as root that isn't
necessarily a huge problem (depending on what your scripts do and how
important the web server is to you). For example if you have a web server
that mostly serves static data and doesn't have write access to that data then
the ability of an attacker to mess with you will be limited.
If you use ssh as a sudo replacement for root access then you have a more
serious problem.
If you have a cgi-bin script written in bash that then runs a program as root
via the ssh command= option then it's a remote root exploit.
> Should there be a focus within the Linux world to track down all the little
> bits that make up the foundation of the software and making sure they are
> being maintained and secure and above all trusted? Perhaps LA or the next
> LCA could/should pick this up as a theme and be a leader in the open source
> world?
Yes. Also we should make all things be secure by default. If we don't have
daemons running scripts in a default configuration then as most users stick to
the defaults for most things that will make most systems secure.
Finally running things with minimum privileges is a good thing. SE Linux is
good for this.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the linux-aus
mailing list