On 26 September 2014 12:06, Chris Hellyar <[email protected]> wrote: > While I don't disagree with the statement that any execution environment > can be used to get the result from the flawed version of bash, the remote > exploit is via apache/cgi at this stage and exploiting it via > php/pearl/python would be of little value to attacker as it would be a low > value secondary vector. >
As long as any of those calls 'system()' and system is implemented in terms of 'sh -c' and 'sh' is a symlink to bash, ( a very common arrangement ), env based exploits will still work here as soon as a bash instance is fired. Because ENV is implicitly inherited by those languages, and passed on to their children during fork+exec , ENV becomes an open conduit for malicious code and the intermediate languages of any kind simply work as naive carriers unless they explicitly filter out ENV they inherit. So all you need is a top level somewhere that stores user specified values in any ENV field. And that may not even require CGI binaries in some cases, but it is the most likely way you'll see it. ( ie: Hypothetically, if Apache simply inflated arbitrary ENV keys from HTTP requests within the Apache process itself, and then subsequently called bash inside the same process for any reason in such a way those ENV was inherited, your pooch is screwed ) And worse, this can all take place *prior* to authentication taking place, as authentication may requires the authentication tokens to be passed via ENV. SSH is a harder target because the vulnerability doesn't trigger until the channel is activated and authorised and then the ENV leaks over the connection once established. There may be some hype to this, but given we don't know a lot about the reality of this problem, considering we just discovered it after it being out there for well over 20 years, I think its better to err on the side of caution and assume vulnerability until some kind of confidence is offered to the contrary. ( You can never prove something invulnerable, and you cant ever make anything completely invulnerable ) -- Kent *KENTNL* - https://metacpan.org/author/KENTNL
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
