Hi Jim..
You'd have to have some very suspect code to pass through the required
environment to bash via perl, php etc. (as it is really suspect to have
bash as a CGI interpreter anything is possible!)
Either that or your machine would need to have malicious code dropped on
it via another exploit, in which case the attacker will use the original
exploit to deliver the payload rather than mess around with shellshock
one would think.
While I don't disagree with the statement that any execution environment
can be used to get the result from the flawed version of bash, the
remote exploit is via apache/cgi at this stage and exploiting it via
php/pearl/python would be of little value to attacker as it would be a
low value secondary vector.
The DHCP one is interesting though. If you've got access to mess with a
DHCP server, or create a rogue one on the network you're probably
already on the local network with lots of juicy targets though...
However this could be used as a discovery mechanism if you were on the
network and having problems finding targets.
Food for thought, that's for sure. ;-)
Cheers, Chris H.
On 26/09/14 11:10, Jim Cheetham wrote:
On Fri, Sep 26, 2014 at 10:36 AM, Chris Hellyar <[email protected]
<mailto:[email protected]>> wrote:
The current published/known exploit/vector from this is via
apache, with cgi enabled and a cgi script using bash as it's
interpreter.
Or any execution environment (mod_perl, PHP, etc) that runs code that
uses "the shell" to run a command, e.g. `cmd` or system(cmd) - if
/bin/sh points to /bin/bash you are potentially vulnerable, or if the
code explicitly runs bash. Debian doesn't do this, they point the
default shell to dash instead. RedHat does point to bash, and you
can't trivially change it.
Beware of rogue DHCP responses on your local networks, too - most
Linux runs "the shell" as part of dhclient.
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
I don't yet know of Android or iOS are vulnerable to DHCP shellshock.
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
