[Nottingham] Free Software Foundation statement on the GNU Bash "shellshock" vulnerability
Andy White
andy at milky.org.uk
Fri Sep 26 21:53:55 UTC 2014
On Fri, Sep 26, 2014 at 01:39:04PM +0100, Mike Cardwell wrote:
> * on the Fri, Sep 26, 2014 at 10:56:29AM +0100, Paul wrote:
>
> > The problem not only effects bash but can also be exploited on apache,
> > python etc. Check out the Red Hat security blog
> > https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>
> That's not strictly true. The problem is with bash only. Now, there are
> lots of pieces of software which allow untrusted parties to set
> arbitrary environment variables (which is ok behaviour). If you can
> access one of those pieces of software, set an environment variable,
> and then get it to run bash, then you can exploit bash. Apache isn't
> vulnerable, but if you happen to use Apache to run a CGI script,
> which it's self triggers bash to be executed, for example a Perl
> script which uses the system function, then there is a hole through
> which you can exploit the vulnerability in bash.
That's not strictly true either. Perl will use the shell if there are shell
meta-characters in the system call, otherwise it will use execvp.
Your /bin/sh may not even be bash, as is the case with recent debian/ubuntu
distributions.
More information about the Nottingham
mailing list