[OpenIndiana-discuss] Bash bug issue

Jim Klimov jimklimov at cos.ru
Tue Sep 30 08:40:28 UTC 2014


29 сентября 2014 г. 17:46:20 CEST, Jason Matthews <jason at broken.net> пишет:
>paraphrasing "Joshua" from "WarGames," bash is a strange game where the
>only winning move is not to play. 
>
>J. 
>
>Sent from my iPhone
>
>> On Sep 29, 2014, at 2:43 AM, "Udo Grabowski (IMK)"
><udo.grabowski at kit.edu> wrote:
>> 
>> As predicted, there's more bash horror (Score 11....):
>
>_______________________________________________
>openindiana-discuss mailing list
>openindiana-discuss at openindiana.org
>http://openindiana.org/mailman/listinfo/openindiana-discuss

Maybe a stupid question on my side (sorry i'm overwhelmed with relocation and other life events), but how really is this bug exploitable? Especially on Solaris and illumos systems with sh/ksh by default and assumed no scripted CGI (hosts of native or java sourced web-code though) ?

I mean, from what I gather, the bug allows to execute unexpected code with credentials of the user that executes bash. On a local system someone should already have a login to do that (or a hacked backdoor), so may have other means for doing mischief. Can it be used to elevate? How? Via config files for root-executed initscripts and cronjobs? If these are editable by a random untrustworthy user, the system is already busted without the bug...

I kinda get the point about web-scripts especially where system programs can be called with the default shell of the webserver account (bash for some), although did not really grasp from cursory looks at the articles just how the env-function can be passed via http requests to do the exploit. Let's assume it can be done... as protection/precaution, would it suffice to make sure that apache's and such do not use bash in their /etc/passwd fields (and restart the daemons)?

Also, did anyone (beside Oracle) already build and publish a replacement SUNWbash for legacy Solaris 8-10 systems? ;)

Thanks, Jim
--
Typos courtesy of K-9 Mail on my Samsung Android



More information about the openindiana-discuss mailing list