Heads up: possible BASH security vulnerability
Daniel J Walsh
dwalsh at redhat.com
Thu Sep 25 20:08:58 UTC 2014
On 09/24/2014 08:27 PM, Chris Adams wrote:
> Once upon a time, jd1008 <jd1008 at gmail.com> said:
>> So, is this one of the ways javascripts exec bash to install malware
>> or do other nasty stuff?
> This has nothing to do with Javascript. It is probably more serious to
> servers, such as web servers, than to desktops.
>
> On a web server, let's say you have some PHP or perl CGI code, and it
> needs to call out to an external program. Depending on how the code is
> written, the PHP/perl interpreter may run the external program via
> /bin/sh (which is bash on many systems, especially Linux systems). Now,
> if the web client has set some specific variables that get put into
> environment variables that get passed on to /bin/sh, bash will execute
> the arbitrary shell code as the web server user (e.g. Apache).
>
> At that point, it can get full remote access, which can then often see
> database credentials and such, accessing a lot of potentially secure
> data. Even on RHEL/CentOS/Fedora systems, SELinux probably won't help
> much (since the web user already has access to read that information).
This is wrong. SELinux would help in the situation of a confined
application, if an application is running as httpd_sys_script_t or
httpd_t it would only be allowed to do what apache or a cgi script is
allowed to do.
SELinux would block it from reading random parts of the OS. For example
if I had a world readable file container
credit card data in my home directory and I had a faulty bash being run
by a cgi script on apache, SELinux would block
the bash/cgi script from reading the world readable file.
Now if you were running as unconfined_t or running in permissive mode or
disabled, then you would not get the protections.
> On a client system, there are some potential routes to exploiting this
> as well. For example, I think the DHCP and PPP clients will run
> external scripts to configure things (such as DNS, NTP, etc.), using
> environment variables to pass information, so a malicious server could
> potentially get full root access to a vulnerable client system. In most
> cases though, I don't think bash or /bin/sh get passed arbitrary remote
> data in environment variables on a client system (e.g. desktop).
>
> I could be missing some things (I'm not entirely familiar with the
> complexity added by modern desktop environments), but I don't think this
> is probably a huge deal for desktop Linux; I think the biggest impact
> would be on web servers with PHP/perl that calls out to external
> programs.
>
More information about the users
mailing list