On 09/24/2014 08:27 PM, Chris Adams wrote: > Once upon a time, jd1008 <jd1008@xxxxxxxxx> said: >> So, is this one of the ways javascripts exec bash to install malware >> or do other nasty stuff? > This has nothing to do with Javascript. It is probably more serious to > servers, such as web servers, than to desktops. > > On a web server, let's say you have some PHP or perl CGI code, and it > needs to call out to an external program. Depending on how the code is > written, the PHP/perl interpreter may run the external program via > /bin/sh (which is bash on many systems, especially Linux systems). Now, > if the web client has set some specific variables that get put into > environment variables that get passed on to /bin/sh, bash will execute > the arbitrary shell code as the web server user (e.g. Apache). > > At that point, it can get full remote access, which can then often see > database credentials and such, accessing a lot of potentially secure > data. Even on RHEL/CentOS/Fedora systems, SELinux probably won't help > much (since the web user already has access to read that information). This is wrong. SELinux would help in the situation of a confined application, if an application is running as httpd_sys_script_t or httpd_t it would only be allowed to do what apache or a cgi script is allowed to do. SELinux would block it from reading random parts of the OS. For example if I had a world readable file container credit card data in my home directory and I had a faulty bash being run by a cgi script on apache, SELinux would block the bash/cgi script from reading the world readable file. Now if you were running as unconfined_t or running in permissive mode or disabled, then you would not get the protections. > On a client system, there are some potential routes to exploiting this > as well. For example, I think the DHCP and PPP clients will run > external scripts to configure things (such as DNS, NTP, etc.), using > environment variables to pass information, so a malicious server could > potentially get full root access to a vulnerable client system. In most > cases though, I don't think bash or /bin/sh get passed arbitrary remote > data in environment variables on a client system (e.g. desktop). > > I could be missing some things (I'm not entirely familiar with the > complexity added by modern desktop environments), but I don't think this > is probably a huge deal for desktop Linux; I think the biggest impact > would be on web servers with PHP/perl that calls out to external > programs. > -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
