<div dir="ltr">On Fri, Sep 26, 2014 at 10:53 AM, Fernando Duran <span dir="ltr"><<a href="mailto:liberosec@yahoo.ca" target="_blank">liberosec@yahoo.ca</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">So we may have exploits for other network services besides web server + CGI (see <a href="https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/" target="_blank">https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/</a> for DHCP ex), random boxes acting as routers/gateways (it doesn't even have to be Linux) etc. </blockquote><div><br></div><div>On Debian/Ubuntu, this risk is mitigated somewhat by dash being the default shell. <br><br>So unless someone changes the default shell from dash to bash, or has any application invoking system() calls which inherits the environment.<br><br></div><div>Here is a proof of concept:<br><br>This is a PHP script that calls system and just does an echo:<br><br>$ cat x.php <br><?php <br>system('echo hello there');<br><br>I run the php script, and do an strace following children:<br><br>$ strace -f -o output php x.php<br><br>In the output I find this:<br><br>28302 execve("/bin/sh", ["sh", "-c", "echo hello there"], [/* 24 vars */]) = 0<br><br>$ ls -l /bin/sh<br>lrwxrwxrwx 1 root root 4 Mar 29 2012 /bin/sh -> dash<br><br></div><div>Which tells me that PHP invokes the default shell (/bin/sh), which is symlinked to dash.<br><br></div><div>On the other hand, doing a grep on /usr/bin, /usr/sbin, et al, reveals plenty of scripts using /bin/bash as the shell by default.<br></div></div>-- <br>Khalid M. Baheyeldin<br><a href="http://2bits.com" target="_blank">2bits.com</a>, Inc.<br>Fast Reliable Drupal<br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken<br>
</div></div>