Heads up: possible BASH security vulnerability

[Chris Adams]

Once upon a time, jd1008 <jd1008 at gmail.com> said:
> So, is this one of the ways javascripts exec bash to install malware
> or do other nasty stuff?

This has nothing to do with Javascript.  It is probably more serious to
servers, such as web servers, than to desktops.

On a web server, let's say you have some PHP or perl CGI code, and it
needs to call out to an external program.  Depending on how the code is
written, the PHP/perl interpreter may run the external program via
/bin/sh (which is bash on many systems, especially Linux systems).  Now,
if the web client has set some specific variables that get put into
environment variables that get passed on to /bin/sh, bash will execute
the arbitrary shell code as the web server user (e.g. Apache).

At that point, it can get full remote access, which can then often see
database credentials and such, accessing a lot of potentially secure
data.  Even on RHEL/CentOS/Fedora systems, SELinux probably won't help
much (since the web user already has access to read that information).

On a client system, there are some potential routes to exploiting this
as well.  For example, I think the DHCP and PPP clients will run
external scripts to configure things (such as DNS, NTP, etc.), using
environment variables to pass information, so a malicious server could
potentially get full root access to a vulnerable client system.  In most
cases though, I don't think bash or /bin/sh get passed arbitrary remote
data in environment variables on a client system (e.g. desktop).

I could be missing some things (I'm not entirely familiar with the
complexity added by modern desktop environments), but I don't think this
is probably a huge deal for desktop Linux; I think the biggest impact
would be on web servers with PHP/perl that calls out to external
programs.

-- 
Chris Adams <linux at cmadams.net>