[GLLUG] Bash Bug

chris procter chris-procter at talk21.com
Thu Sep 25 20:13:52 UTC 2014


----- Original Message -----

> From: Andy Smith <andy at bitfolk.com>
> Hello,
> 
> On Thu, Sep 25, 2014 at 06:25:27PM +0100, chris procter wrote:
>>  I'd still say heartbleed is worse though, who runs bash cgi scripts?
> 
> It's not just applications implemented in bash, it's anything that
> ever shells out to bash and could have its environment under control
> of an attacker.
> 
>     https://news.ycombinator.com/item?id=8362450
> 
> Cheers,
> Andy


I may have been being a little bit frivolous :-)

I had great fun yesterday exploiting our internal perl scripts and the like, its easy to exploit but its actually relatively hard to get it to do something you couldn't do anyway (you mostly end up running commands as your own user).  What you need is a server app that runs as its own user and allows you to set environment variables for a subshell rather then passing args or using pipes.  I think theres a lot less of those then servers running openssl.

Plus this is an easy fix with no downtime, no restarting services, no regenerating keys etc, just "yum upgrade bash" and walk away which is much easier then heartbleed.

The real issue with this one is its hard to be sure exactly whats vulnerable, lazy developers can do some horrible things with system() and co to avoid writing a few lines of code. So not as bad as heartbleed but still pretty fscking nasty.


chris




More information about the GLLUG mailing list