[GLLUG] Bash Bug

Alain Williams addw at phcomp.co.uk
Thu Sep 25 21:38:53 UTC 2014 

On Thu, Sep 25, 2014 at 06:25:27PM +0100, chris procter wrote:

> So when you launch a bash shell it takes the environment 
> variables inherited from its parent and because environment variables 
> can be functions it evaluates them. However it evaluates the whole 
> string so any trailing code gets evaluated (i.e. run). so for example
> export X='() { :;}; echo vulnerable'
> bash -c "echo this is a test"
> 
> 
> creates an environment variable X with the value of '() { :;}; echo vulnerable',  so when bash -c  is run it creates a new bash shell and evaluates the X environment variable the  () { :;}; part is a valid shell function that does nothing but the echo vulnerable part also gets executed and prints "vulnerable". Only then does the  "echo this is a test".   If instead of "echo vulnerable"  you had "rm -rf /"  then bad things happen.
> 
> cgi scripts take the query string and all of the other http parameters in 
> the request and turn them into environment variables, then they invoke 
> the cgi script which can read the environment variables to get the 
> parameters passed in. So if your cgi script is written in bash then a 
> malicious hacker could send a 
> suitably crafted http header then would run code when the cgi script was started.
> 
> So (stealing from a comment on hacker news) running: 
> 
> curl -H 'User-Agent: () { :;}; rm -rf /' http://<webserver>/<shell script>.cgi
> 
> against a bash cgi script would execute rm -rf / on the webserver.  It runs it 
> as the apache (httpd) user however so its not (quite) as bad as that 
> makes it sound but still not fun.

Thanks for that ... it made me think. I first assumed that if I was not
generating web pages via a bash CGI script then I would be safe, but I got
thinking .... What if your perl/php/... script contains something like:

    system("/bin/mkdir /tmp/foo$$");  [**]

That will be done by passing /bin/something-or-other to the system shell to get
it executed. The assumption is that this will be 100% safe since it is not
taking anything from the user - but it is as Chris explains above.

So: an innocuous script like the above could be vulnerable.

Scary!



Perl's taint processing will help here.

[**] OK: I know that most scripting languages let you create directories in a
better/simpler way - this is illustration.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>

More information about the GLLUG mailing list