Re: Heads up: possible BASH security vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 09/24/2014 06:27 PM, Chris Adams wrote:

Once upon a time, jd1008 <jd1008@xxxxxxxxx> said:

So, is this one of the ways javascripts exec bash to install malware
or do other nasty stuff?

This has nothing to do with Javascript.  It is probably more serious to
servers, such as web servers, than to desktops.

On a web server, let's say you have some PHP or perl CGI code, and it
needs to call out to an external program.  Depending on how the code is
written, the PHP/perl interpreter may run the external program via
/bin/sh (which is bash on many systems, especially Linux systems).  Now,
if the web client has set some specific variables that get put into
environment variables that get passed on to /bin/sh, bash will execute
the arbitrary shell code as the web server user (e.g. Apache).

At that point, it can get full remote access, which can then often see
database credentials and such, accessing a lot of potentially secure
data.  Even on RHEL/CentOS/Fedora systems, SELinux probably won't help
much (since the web user already has access to read that information).

On a client system, there are some potential routes to exploiting this
as well.  For example, I think the DHCP and PPP clients will run
external scripts to configure things (such as DNS, NTP, etc.), using
environment variables to pass information, so a malicious server could
potentially get full root access to a vulnerable client system.  In most
cases though, I don't think bash or /bin/sh get passed arbitrary remote
data in environment variables on a client system (e.g. desktop).

I could be missing some things (I'm not entirely familiar with the
complexity added by modern desktop environments), but I don't think this
is probably a huge deal for desktop Linux; I think the biggest impact
would be on web servers with PHP/perl that calls out to external
programs.


Well and good.
Are you saying that a java script, being executed on your system
via the browser, cannot also fork and exec bash?


--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux