[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?
Scott Ferguson
scott.ferguson.it.consulting at gmail.com
Fri Sep 26 21:23:21 EST 2014
On 26/09/14 13:20, Russell Coker wrote:
> On Fri, 26 Sep 2014, Ian <ilox11 at gmail.com> wrote:
>> The journos are having a field day over the discovery of the
>> vulnerabilities in Bash, the vulnerability now called Shellshock. They talk
>> of 500million affected sites. Any Apache server is easily taken over. Some
>> reporting that the patches not fully safe yet.
> wget -U "() { test;};/usr/bin/touch /tmp/VULNERABLE" \
> http://www.example.com/cgi-bin/whatever
>
> Above is a test for a vulnerable cgi-bin script courtesy of
> https://twitter.com/hernano .
>
> ssh root at localhost "() { :;} ; touch /tmp/ohno"
>
> Above is a test I wrote for ssh where ~root/.ssh/authorized_keys allows access
> but with the "command=" option (which sets the original command to the
> SSH_ORIGINAL_COMMAND variable). Note that this doesn't do anything useful in
> the case where unrestricted ssh access is granted.
>
> If you have bash cgi-bin scripts then an attacker can run arbitrary code as
> www-data. As long as you don't run such scripts as root that isn't
> necessarily a huge problem (depending on what your scripts do and how
> important the web server is to you). For example if you have a web server
> that mostly serves static data and doesn't have write access to that data then
> the ability of an attacker to mess with you will be limited.
>
> If you use ssh as a sudo replacement for root access then you have a more
> serious problem.
>
> If you have a cgi-bin script written in bash that then runs a program as root
> via the ssh command= option then it's a remote root exploit.
DHCP can also be exploited.
>
>> Should there be a focus within the Linux world to track down all the little
>> bits that make up the foundation of the software and making sure they are
>> being maintained and secure and above all trusted? Perhaps LA or the next
>> LCA could/should pick this up as a theme and be a leader in the open source
>> world?
> Yes. Also we should make all things be secure by default. If we don't have
> daemons running scripts in a default configuration then as most users stick to
> the defaults for most things that will make most systems secure.
>
> Finally running things with minimum privileges is a good thing. SE Linux is
> good for this.
>
All excellent advice. And thanks for pointing out that it's not just a
bash cgi problem (which if what some uninformed commentators are saying).
Nor is it just a problem of unsanitized user input. It's httpd setting
environment variables with them (when doing any cgi).
The honesty, and the speed with which a solution was made available all
speak well of those involved - my thanks to all of them.
Kind regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux.org.au/pipermail/linux-aus/attachments/20140926/85fd7be0/attachment.htm
More information about the linux-aus
mailing list