<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#CCCCCC" text="#000000">
<div class="moz-cite-prefix">On 26/09/14 13:20, Russell Coker wrote:<br>
</div>
<blockquote cite="mid:201409261320.42571.russell@coker.com.au"
type="cite">
<pre wrap="">On Fri, 26 Sep 2014, Ian <a class="moz-txt-link-rfc2396E" href="mailto:ilox11@gmail.com"><ilox11@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">The journos are having a field day over the discovery of the
vulnerabilities in Bash, the vulnerability now called Shellshock. They talk
of 500million affected sites. Any Apache server is easily taken over. Some
reporting that the patches not fully safe yet.
</pre>
</blockquote>
<pre wrap="">
wget -U "() { test;};/usr/bin/touch /tmp/VULNERABLE" \
<a class="moz-txt-link-freetext" href="http://www.example.com/cgi-bin/whatever">http://www.example.com/cgi-bin/whatever</a>
Above is a test for a vulnerable cgi-bin script courtesy of
<a class="moz-txt-link-freetext" href="https://twitter.com/hernano">https://twitter.com/hernano</a> .
ssh root@localhost "() { :;} ; touch /tmp/ohno"
Above is a test I wrote for ssh where ~root/.ssh/authorized_keys allows access
but with the "command=" option (which sets the original command to the
SSH_ORIGINAL_COMMAND variable). Note that this doesn't do anything useful in
the case where unrestricted ssh access is granted.
If you have bash cgi-bin scripts then an attacker can run arbitrary code as
www-data. As long as you don't run such scripts as root that isn't
necessarily a huge problem (depending on what your scripts do and how
important the web server is to you). For example if you have a web server
that mostly serves static data and doesn't have write access to that data then
the ability of an attacker to mess with you will be limited.
If you use ssh as a sudo replacement for root access then you have a more
serious problem.
If you have a cgi-bin script written in bash that then runs a program as root
via the ssh command= option then it's a remote root exploit.</pre>
</blockquote>
<br>
DHCP can also be exploited.<br>
<br>
<blockquote cite="mid:201409261320.42571.russell@coker.com.au"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Should there be a focus within the Linux world to track down all the little
bits that make up the foundation of the software and making sure they are
being maintained and secure and above all trusted? Perhaps LA or the next
LCA could/should pick this up as a theme and be a leader in the open source
world?
</pre>
</blockquote>
<pre wrap="">
Yes. Also we should make all things be secure by default. If we don't have
daemons running scripts in a default configuration then as most users stick to
the defaults for most things that will make most systems secure.
Finally running things with minimum privileges is a good thing. SE Linux is
good for this.
</pre>
</blockquote>
<font face="Oxygen">All excellent advice. And thanks for pointing
out that it's not just a bash cgi problem (which if what some
uninformed commentators are saying).<br>
Nor is it just a problem of unsanitized user input. </font>It's
httpd setting environment variables with them (when doing any cgi).<br>
<br>
The honesty, and the speed with which a solution was made available
all speak well of those involved - my thanks to all of them.<br>
<br>
Kind regards<br>
</body>
</html>