Heads up: possible BASH security vulnerability

jd1008 jd1008 at gmail.com
Thu Sep 25 00:36:02 UTC 2014 

On 09/24/2014 06:27 PM, Chris Adams wrote:
> Once upon a time, jd1008 <jd1008 at gmail.com> said:
>> So, is this one of the ways javascripts exec bash to install malware
>> or do other nasty stuff?
> This has nothing to do with Javascript.  It is probably more serious to
> servers, such as web servers, than to desktops.
>
> On a web server, let's say you have some PHP or perl CGI code, and it
> needs to call out to an external program.  Depending on how the code is
> written, the PHP/perl interpreter may run the external program via
> /bin/sh (which is bash on many systems, especially Linux systems).  Now,
> if the web client has set some specific variables that get put into
> environment variables that get passed on to /bin/sh, bash will execute
> the arbitrary shell code as the web server user (e.g. Apache).
>
> At that point, it can get full remote access, which can then often see
> database credentials and such, accessing a lot of potentially secure
> data.  Even on RHEL/CentOS/Fedora systems, SELinux probably won't help
> much (since the web user already has access to read that information).
>
> On a client system, there are some potential routes to exploiting this
> as well.  For example, I think the DHCP and PPP clients will run
> external scripts to configure things (such as DNS, NTP, etc.), using
> environment variables to pass information, so a malicious server could
> potentially get full root access to a vulnerable client system.  In most
> cases though, I don't think bash or /bin/sh get passed arbitrary remote
> data in environment variables on a client system (e.g. desktop).
>
> I could be missing some things (I'm not entirely familiar with the
> complexity added by modern desktop environments), but I don't think this
> is probably a huge deal for desktop Linux; I think the biggest impact
> would be on web servers with PHP/perl that calls out to external
> programs.
>
Well and good.
Are you saying that a java script, being executed on your system
via the browser, cannot also fork and exec bash?

More information about the users mailing list