On 25 September 2014 01:36, jd1008 <jd1008@xxxxxxxxx> wrote: > > On 09/24/2014 06:27 PM, Chris Adams wrote: >> >> Once upon a time, jd1008 <jd1008@xxxxxxxxx> said: >>> >>> So, is this one of the ways javascripts exec bash to install malware >>> or do other nasty stuff? >> >> This has nothing to do with Javascript. It is probably more serious to >> servers, such as web servers, than to desktops. >> >> On a web server, let's say you have some PHP or perl CGI code, and it >> needs to call out to an external program. Depending on how the code is >> written, the PHP/perl interpreter may run the external program via >> /bin/sh (which is bash on many systems, especially Linux systems). Now, >> if the web client has set some specific variables that get put into >> environment variables that get passed on to /bin/sh, bash will execute >> the arbitrary shell code as the web server user (e.g. Apache). >> >> At that point, it can get full remote access, which can then often see >> database credentials and such, accessing a lot of potentially secure >> data. Even on RHEL/CentOS/Fedora systems, SELinux probably won't help >> much (since the web user already has access to read that information). >> >> On a client system, there are some potential routes to exploiting this >> as well. For example, I think the DHCP and PPP clients will run >> external scripts to configure things (such as DNS, NTP, etc.), using >> environment variables to pass information, so a malicious server could >> potentially get full root access to a vulnerable client system. In most >> cases though, I don't think bash or /bin/sh get passed arbitrary remote >> data in environment variables on a client system (e.g. desktop). >> >> I could be missing some things (I'm not entirely familiar with the >> complexity added by modern desktop environments), but I don't think this >> is probably a huge deal for desktop Linux; I think the biggest impact >> would be on web servers with PHP/perl that calls out to external >> programs. >> > Well and good. > Are you saying that a java script, being executed on your system > via the browser, cannot also fork and exec bash? That in itself is not the vulnerability, the vulnerability is that starting bash with environment variables that are potentially set by an untrusted user can execute code, the lwn write up is quite good http://lwn.net/Articles/613032/ I might be wrong about this, but my understanding is that since CGI uses environment variables to communicate parameters, any request to a bash CGI script, or a CGI script that forks bash, exposes this vulnerability, even if it does nothing with the parameters and is just a hello world. Whereas if firefox forks bash somehow (something I don't think Javascript can do, but I could be wrong), the environment is controlled by Firefox (javascript code can't set environment variables either), so you're less exposed, though the RedHat page on the vulnerability does mention that they can't exclude all vulnerabilities to this in Firefox. https://access.redhat.com/articles/1200223 suggests Apache modules are unaffected, so if you use mod_php for example it should not allow remote requests to set environment variables so even if bash gets forked (which is hard to guarantee it wont by some module) it doesn't expose this. Think I'll double check that... -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
