On 09/25/2014 01:50 AM, Ian Malone wrote:
On 25 September 2014 01:36, jd1008 <jd1008@xxxxxxxxx> wrote:
On 09/24/2014 06:27 PM, Chris Adams wrote:
Once upon a time, jd1008 <jd1008@xxxxxxxxx> said:
So, is this one of the ways javascripts exec bash to install malware
or do other nasty stuff?
This has nothing to do with Javascript. It is probably more serious to
servers, such as web servers, than to desktops.
On a web server, let's say you have some PHP or perl CGI code, and it
needs to call out to an external program. Depending on how the code is
written, the PHP/perl interpreter may run the external program via
/bin/sh (which is bash on many systems, especially Linux systems). Now,
if the web client has set some specific variables that get put into
environment variables that get passed on to /bin/sh, bash will execute
the arbitrary shell code as the web server user (e.g. Apache).
At that point, it can get full remote access, which can then often see
database credentials and such, accessing a lot of potentially secure
data. Even on RHEL/CentOS/Fedora systems, SELinux probably won't help
much (since the web user already has access to read that information).
On a client system, there are some potential routes to exploiting this
as well. For example, I think the DHCP and PPP clients will run
external scripts to configure things (such as DNS, NTP, etc.), using
environment variables to pass information, so a malicious server could
potentially get full root access to a vulnerable client system. In most
cases though, I don't think bash or /bin/sh get passed arbitrary remote
data in environment variables on a client system (e.g. desktop).
I could be missing some things (I'm not entirely familiar with the
complexity added by modern desktop environments), but I don't think this
is probably a huge deal for desktop Linux; I think the biggest impact
would be on web servers with PHP/perl that calls out to external
programs.
Well and good.
Are you saying that a java script, being executed on your system
via the browser, cannot also fork and exec bash?
That in itself is not the vulnerability, the vulnerability is that
starting bash with environment variables that are potentially set by
an untrusted user can execute code, the lwn write up is quite good
http://lwn.net/Articles/613032/
I might be wrong about this, but my understanding is that since CGI
uses environment variables to communicate parameters, any request to a
bash CGI script, or a CGI script that forks bash, exposes this
vulnerability, even if it does nothing with the parameters and is just
a hello world. Whereas if firefox forks bash somehow (something I
don't think Javascript can do, but I could be wrong), the environment
is controlled by Firefox (javascript code can't set environment
variables either), so you're less exposed, though the RedHat page on
the vulnerability does mention that they can't exclude all
vulnerabilities to this in Firefox.
https://access.redhat.com/articles/1200223 suggests Apache modules are
unaffected, so if you use mod_php for example it should not allow
remote requests to set environment variables so even if bash gets
forked (which is hard to guarantee it wont by some module) it doesn't
expose this. Think I'll double check that...
Thanx Ian.
I wonder if the BSD sh has the same vulnerability.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
