[kwlug-disc] Vulnerability in bash
Khalid Baheyeldin
kb at 2bits.com
Fri Sep 26 11:45:47 EDT 2014
On Fri, Sep 26, 2014 at 10:53 AM, Fernando Duran <liberosec at yahoo.ca> wrote:
> So we may have exploits for other network services besides web server +
> CGI (see
> https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
> for DHCP ex), random boxes acting as routers/gateways (it doesn't even have
> to be Linux) etc.
On Debian/Ubuntu, this risk is mitigated somewhat by dash being the default
shell.
So unless someone changes the default shell from dash to bash, or has any
application invoking system() calls which inherits the environment.
Here is a proof of concept:
This is a PHP script that calls system and just does an echo:
$ cat x.php
<?php
system('echo hello there');
I run the php script, and do an strace following children:
$ strace -f -o output php x.php
In the output I find this:
28302 execve("/bin/sh", ["sh", "-c", "echo hello there"], [/* 24 vars */])
= 0
$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Mar 29 2012 /bin/sh -> dash
Which tells me that PHP invokes the default shell (/bin/sh), which is
symlinked to dash.
On the other hand, doing a grep on /usr/bin, /usr/sbin, et al, reveals
plenty of scripts using /bin/bash as the shell by default.
--
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
For every complex problem, there is an answer that is clear, simple, and
wrong." -- H.L. Mencken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140926/48374d6c/attachment.htm>
More information about the kwlug-disc
mailing list