[OpenIndiana-discuss] Bash bug issue
Bruce Lilly
bruce.lilly at gmail.com
Wed Oct 1 20:38:47 UTC 2014
> So, do you mean that ksh93 does not have the vulnerability?
http://lists.research.att.com/pipermail/ast-developers/2014q3/003964.html
On Tue, Sep 30, 2014 at 10:02 AM, Bob Friesenhahn <
bfriesen at simple.dallas.tx.us> wrote:
> On Tue, 30 Sep 2014, Jim Klimov wrote:
>
>>
>> Maybe a stupid question on my side (sorry i'm overwhelmed with relocation
>> and other life events), but how really is this bug exploitable? Especially
>> on Solaris and illumos systems with sh/ksh by default and assumed no
>> scripted CGI (hosts of native or java sourced web-code though) ?
>>
>
> It is readily exploitable for web CGI scripts which provide/export values
> provided by the web server and remote client as environment variables. The
> "CGI" paradigm has thoroughly permiated web application infrastructures.
> The exploit requires that bash be executed with the problematic environment
> variables already set. Service applications obtained from Linux often
> require bash in order to run.
>
> On my own systems, the only service I found which was suspect was 'git'
> and 'gitweb.cgi' since the 'git' implementation depends on many shell
> scripts, which specifically depend on bash.
>
> For example, this is output from the test-cgi script provided with Apache:
>
> CGI/1.0 test script report:
>
> argc is 0. argv is .
>
> SERVER_SOFTWARE = Apache/2.0.63 (Unix) DAV/2
> SERVER_NAME = www.simplesystems.org
> GATEWAY_INTERFACE = CGI/1.1
> SERVER_PROTOCOL = HTTP/1.1
> SERVER_PORT = 80
> REQUEST_METHOD = GET
> HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
> q=0.8
> PATH_INFO =
> PATH_TRANSLATED =
> SCRIPT_NAME = /cgi-bin/test-cgi
> QUERY_STRING =
> REMOTE_HOST =
> REMOTE_ADDR = 65.66.245.66
> REMOTE_USER =
> AUTH_TYPE =
> CONTENT_TYPE =
> CONTENT_LENGTH =
>
> and this is output from a Perl script called 'printenv' which prints
> everything made available:
>
> DOCUMENT_ROOT="/html"
> GATEWAY_INTERFACE="CGI/1.1"
> HTTP_ACCEPT="text/html,application/xhtml+xml,
> application/xml;q=0.9,*/*;q=0.8"
> HTTP_ACCEPT_ENCODING="gzip, deflate"
> HTTP_ACCEPT_LANGUAGE="en-US,en;q=0.5"
> HTTP_CONNECTION="keep-alive"
> HTTP_HOST="www.simplesystems.org"
> HTTP_USER_AGENT="Mozilla/5.0 (X11; SunOS i86pc; rv:30.0) Gecko/20100101
> Firefox/30.0"
> PATH="/usr/sbin:/usr/bin"
> QUERY_STRING=""
> REMOTE_ADDR="65.66.245.66"
> REMOTE_PORT="53877"
> REQUEST_METHOD="GET"
> REQUEST_URI="/cgi-bin/printenv"
> SCRIPT_FILENAME="/var/apache2/cgi-bin/printenv"
> SCRIPT_NAME="/cgi-bin/printenv"
> SERVER_ADDR="65.66.246.89"
> SERVER_ADMIN="webmaste at simplesystems.org"
> SERVER_NAME="www.simplesystems.org"
> SERVER_PORT="80"
> SERVER_PROTOCOL="HTTP/1.1"
> SERVER_SIGNATURE="<address>Apache/2.0.63 (Unix) DAV/2 Server at
> www.simplesystems.org Port 80</address>\n"
> SERVER_SOFTWARE="Apache/2.0.63 (Unix) DAV/2"
> TZ="US/Central"
> UNIQUE_ID="rExdoEFC9koAAEJpoxgAAAAJ"
>
> --
> Bob Friesenhahn
> bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
More information about the openindiana-discuss
mailing list