Re: [OpenIndiana-discuss] Bash bug issue

Tue, 30 Sep 2014 07:25:54 -0700 

On Tue, 30 Sep 2014, Jim Klimov wrote:



Maybe a stupid question on my side (sorry i'm overwhelmed with 
relocation and other life events), but how really is this bug 
exploitable? Especially on Solaris and illumos systems with sh/ksh 
by default and assumed no scripted CGI (hosts of native or java 
sourced web-code though) ?



It is readily exploitable for web CGI scripts which provide/export 
values provided by the web server and remote client as environment 
variables.  The "CGI" paradigm has thoroughly permiated web 
application infrastructures.  The exploit requires that bash be 
executed with the problematic environment variables already set. 
Service applications obtained from Linux often require bash in order 
to run.



On my own systems, the only service I found which was suspect was 
'git' and 'gitweb.cgi' since the 'git' implementation depends on many 
shell scripts, which specifically depend on bash.



For example, this is output from the test-cgi script provided with 
Apache:


CGI/1.0 test script report:

argc is 0. argv is .

SERVER_SOFTWARE = Apache/2.0.63 (Unix) DAV/2
SERVER_NAME = www.simplesystems.org
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
REMOTE_HOST =
REMOTE_ADDR = 65.66.245.66
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =


and this is output from a Perl script called 'printenv' which prints 
everything made available:


DOCUMENT_ROOT="/html"
GATEWAY_INTERFACE="CGI/1.1"
HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-US,en;q=0.5"
HTTP_CONNECTION="keep-alive"
HTTP_HOST="www.simplesystems.org"

HTTP_USER_AGENT="Mozilla/5.0 (X11; SunOS i86pc; rv:30.0) 
Gecko/20100101 Firefox/30.0"

PATH="/usr/sbin:/usr/bin"
QUERY_STRING=""
REMOTE_ADDR="65.66.245.66"
REMOTE_PORT="53877"
REQUEST_METHOD="GET"
REQUEST_URI="/cgi-bin/printenv"
SCRIPT_FILENAME="/var/apache2/cgi-bin/printenv"
SCRIPT_NAME="/cgi-bin/printenv"
SERVER_ADDR="65.66.246.89"
SERVER_ADMIN="webma...@simplesystems.org"
SERVER_NAME="www.simplesystems.org"
SERVER_PORT="80"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.0.63 (Unix) DAV/2 Server at www.simplesystems.org Port 
80</address>\n"
SERVER_SOFTWARE="Apache/2.0.63 (Unix) DAV/2"
TZ="US/Central"
UNIQUE_ID="rExdoEFC9koAAEJpoxgAAAAJ"

--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss























					Reply via email to