On Fri, Sep 26, 2014 at 12:06 PM, Chris Hellyar <[email protected]> wrote:
> You'd have to have some very suspect code to pass through the required > environment to bash via perl, php etc. (as it is really suspect to have > bash as a CGI interpreter anything is possible!) > Sadly no, once you have set the environment with the attack code in it, by default it will be preserved by fork() until someone remembers to explicitly clean it out, which rarely happens, especially in languages that don't interact with the environment very much. And if anyone implicitly calls bash, the attack code will execute before your intended command gets a look in. Debian has been using dash as the /bin/sh for years, so it is less vulnerable to implicit calls to OS commands, unless someone is calling a command written in bash itself, or one that invokes a bash script. RHEL is currently using bash as /bin/sh, and even worse it seems as if many startup scripts declare /bin/sh but actually require bash, so simply changing the symlink to go to dash instead results in random breakage. While you might describe the conditions needed to be susceptible to the attack as rare, in large networks it's common enough. Across the wider technical community I belong to, we have seen a large-enough number of successful compromises to know that it works in practice. There is at least one functional botnet out there using this as one of its compromise techniques already. In practical terms, our biggest worry is people running OSs that no longer have security support, where we have to find ways to recompile the shell from source - and sometimes you can't even install a compiler or do a fresh install of the OS elsewhere. The biggest takeout for me isn't how bash can be exploited, it's how many people *don't upgrade* their systems because "they work fine" and eventually end up in a situation where they *can't upgrade* in the face of a problem like this. -jim
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
