[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?

Scott Ferguson scott.ferguson.it.consulting at gmail.com
Fri Sep 26 21:23:21 EST 2014


On 26/09/14 13:20, Russell Coker wrote:
> On Fri, 26 Sep 2014, Ian <ilox11 at gmail.com> wrote:
>> The journos are having a field day over the discovery of the
>> vulnerabilities in Bash, the vulnerability now called Shellshock. They talk
>> of 500million affected sites. Any Apache server is easily taken over. Some
>> reporting that the patches not fully safe yet.
> wget -U "() { test;};/usr/bin/touch /tmp/VULNERABLE" \ 
> http://www.example.com/cgi-bin/whatever
>
> Above is a test for a vulnerable cgi-bin script courtesy of 
> https://twitter.com/hernano .
>
> ssh root at localhost "() { :;} ; touch /tmp/ohno"
>
> Above is a test I wrote for ssh where ~root/.ssh/authorized_keys allows access 
> but with the "command=" option (which sets the original command to the 
> SSH_ORIGINAL_COMMAND variable).  Note that this doesn't do anything useful in 
> the case where unrestricted ssh access is granted.
>
> If you have bash cgi-bin scripts then an attacker can run arbitrary code as 
> www-data.  As long as you don't run such scripts as root that isn't 
> necessarily a huge problem (depending on what your scripts do and how 
> important the web server is to you).  For example if you have a web server 
> that mostly serves static data and doesn't have write access to that data then 
> the ability of an attacker to mess with you will be limited.
>
> If you use ssh as a sudo replacement for root access then you have a more 
> serious problem.
>
> If you have a cgi-bin script written in bash that then runs a program as root 
> via the ssh command= option then it's a remote root exploit.

DHCP can also be exploited.

>
>> Should there be a focus within the Linux world to track down all the little
>> bits that make up the foundation of the software and making sure they are
>> being maintained and secure and above all trusted? Perhaps LA or the next
>> LCA could/should pick this up as a theme and be a leader in the open source
>> world?
> Yes.  Also we should make all things be secure by default.  If we don't have 
> daemons running scripts in a default configuration then as most users stick to 
> the defaults for most things that will make most systems secure.
>
> Finally running things with minimum privileges is a good thing.  SE Linux is 
> good for this.
>
All excellent advice. And thanks for pointing out that it's not just a
bash cgi problem (which if what some uninformed commentators are saying).
Nor is it just a problem of unsanitized user input. It's httpd setting
environment variables with them (when doing any cgi).

The honesty, and the speed with which a solution was made available all
speak well of those involved - my thanks to all of them.

Kind regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux.org.au/pipermail/linux-aus/attachments/20140926/85fd7be0/attachment.htm 


More information about the linux-aus mailing list