On Fri, Sep 26, 2014 at 6:02 PM, The Gaijin <gaijin@gci.net> wrote:
> On 09/26/2014 01:33 PM, Mike wrote:
>
>> Royce,
>>
>> Thanks for covering this...I was going to post something later this
>> evening.
>>
>> You have saved me the trouble!
>>
>> Looks easy enough to patch.
>>
>> I'd like to also talk about the access vectors.
>>
>> It looks like only shelling into the box exposes this particular remote
>> exploit.
>>
>> Are there other avenues of access?
>>
>
> Theoretically, any program that takes input from an untrusted source and
> puts it into an environment variable that gets processed by bash (in this
> case) can be exploited. Environment variables for CGI scripts in Apache
> are a popular source of exploitation. :)
>
Yep, what Ray said.
mod_php, mod_perl, and mod_python are not affected, because they process
environment variables differently. But if you're using Perl under mod_cgi
and do anything that makes a system call to a vulnerable bash, that's bad.
Apparently, cPanel and Nagios both do this in one form or another.
Malicious DHCP servers are also possible. Can also be SSH, but
authentication has to actually happen first.
I anticipate more of this sort of thing, so I made a quick place to keep
track of it as I learn more.
http://www.techsolvency.com/story-so-far/
First entry is pretty much what I just sent to the list.
http://www.techsolvency.com/story-so-far/shellshock-cve-2014-2761/
I'll retrofit my Heartbleed notes as well, I think.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Sep 26 18:50:05 2014
This archive was generated by hypermail 2.1.8 : Fri Sep 26 2014 - 18:50:05 AKDT