[OpenIndiana-discuss] Bash bug issue

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Tue Sep 30 14:02:09 UTC 2014 

On Tue, 30 Sep 2014, Jim Klimov wrote:
>
> Maybe a stupid question on my side (sorry i'm overwhelmed with 
> relocation and other life events), but how really is this bug 
> exploitable? Especially on Solaris and illumos systems with sh/ksh 
> by default and assumed no scripted CGI (hosts of native or java 
> sourced web-code though) ?

It is readily exploitable for web CGI scripts which provide/export 
values provided by the web server and remote client as environment 
variables.  The "CGI" paradigm has thoroughly permiated web 
application infrastructures.  The exploit requires that bash be 
executed with the problematic environment variables already set. 
Service applications obtained from Linux often require bash in order 
to run.

On my own systems, the only service I found which was suspect was 
'git' and 'gitweb.cgi' since the 'git' implementation depends on many 
shell scripts, which specifically depend on bash.

For example, this is output from the test-cgi script provided with 
Apache:

CGI/1.0 test script report:

argc is 0. argv is .

SERVER_SOFTWARE = Apache/2.0.63 (Unix) DAV/2
SERVER_NAME = www.simplesystems.org
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
REMOTE_HOST =
REMOTE_ADDR = 65.66.245.66
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =

and this is output from a Perl script called 'printenv' which prints 
everything made available:

DOCUMENT_ROOT="/html"
GATEWAY_INTERFACE="CGI/1.1"
HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-US,en;q=0.5"
HTTP_CONNECTION="keep-alive"
HTTP_HOST="www.simplesystems.org"
HTTP_USER_AGENT="Mozilla/5.0 (X11; SunOS i86pc; rv:30.0) 
Gecko/20100101 Firefox/30.0"
PATH="/usr/sbin:/usr/bin"
QUERY_STRING=""
REMOTE_ADDR="65.66.245.66"
REMOTE_PORT="53877"
REQUEST_METHOD="GET"
REQUEST_URI="/cgi-bin/printenv"
SCRIPT_FILENAME="/var/apache2/cgi-bin/printenv"
SCRIPT_NAME="/cgi-bin/printenv"
SERVER_ADDR="65.66.246.89"
SERVER_ADMIN="webmaste at simplesystems.org"
SERVER_NAME="www.simplesystems.org"
SERVER_PORT="80"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.0.63 (Unix) DAV/2 Server at www.simplesystems.org Port 80</address>\n"
SERVER_SOFTWARE="Apache/2.0.63 (Unix) DAV/2"
TZ="US/Central"
UNIQUE_ID="rExdoEFC9koAAEJpoxgAAAAJ"

-- 
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

More information about the openindiana-discuss mailing list