Hi Eliezer, On Sun, 28 Sep 2014 01:01:17 +0300, Eliezer Croitoru wrote:
If an admin wrote a cgi script that allows injection of functions into the bash environment then the cgi script should be fixed... If the issue is the mod_cgi interface itself allowing all sort of stuff it is not 100% bash fault.
This issue is almost the same as php or other scripts that quotes a variable straight into a sql query and not using the "values" and "?"(question marks) to restrict the variables into a specific scope.
From my point of view the php script should be fixed to prevent the sql injection rather then patching MySQL or any others.
I don't think you have understood this bug completely - the underlying assumption that it is safe to set environment variables to arbitrary values is wrong - this (at least -6271) is a bug in the way the variables are parsed internally in bash potentially leading to code execution. "injection of functions into the bash environment" is an intentional feature of bash, having those functions execute code while being defined is a parser bug 8^) Here is a scenario: You have an SSH server with this configuration for a user in their authorized_keys file: command="/opt/fincham/do-nothing" ssh-rsa AAAAB3NzA..Dxq= user(a)example.com And `/opt/fincham/do-nothing' looks like this: #!/bin/bash /bin/false SSH will force `/opt/fincham/do-nothing' to run when the user connects, and this script is clearly incapable of doing anything exciting. However in this situation, SSH will set a variable `SSH_ORIGINAL_COMMAND' in the environment of the spawned shell to a value supplied by the connecting user (e.g. if the user runs "ssh server.example.com foo" the value of SSH_ORIGINAL_COMMAND will be "foo"). It is easy to see that, by design, this does not matter, as nothing in the script examines or uses this environment variable. This is where the seriousness of the bug comes in - when the `bash' process starts it will parser the environment, and in doing so it is possible to exploit bash's parser to execute arbitrary code /while it is merely examining the contents/ of that environment. For instance if I connect with: ssh server.example.com "{ :;}; /some/malicious/command" My script that previously could only call `/bin/false' will now run `/some/malicious/command' as soon as bash is called by OpenSSH. Now think about how many places where a user can set an environment variable (for instance, as intended functionality of CGI, to pass e.g. HTTP_COOKIE values in to the CGI script) and where bash will be called subsequently, either intentionally or implicitly by e.g. system(). -- Michael Fincham, Dynamic Configuration Administrator Bespoke technomancy for a secular age: http://www.hotplate.co.nz/