• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Anyone use bash?

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Anyone use bash?

    BBC News - Shellshock: 'Deadly serious' new vulnerability found

    #2
    The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.


    I'm no sandal-wearing Linux expert but isn't it part of the OS, not the web server?

    Comment


      #3
      Just install Windows. Problem solved.
      Will work inside IR35. Or for food.

      Comment


        #4
        Originally posted by VectraMan View Post
        Just install Windows. Problem solved.
        We've got bash on Windows here....

        AIX unaffected apart from the odd one where some demmick has installed the fileset for bash.....

        Korn shell rulez!
        Last edited by stek; 25 September 2014, 12:52.

        Comment


          #5
          Originally posted by Bunk View Post


          I'm no sandal-wearing Linux expert but isn't it part of the OS, not the web server?
          The exploit allows you to access the webserver remotely via bash....

          Comment


            #6
            Originally posted by stek View Post
            The exploit allows you to access the webserver remotely via bash....
            But bash is a command line IIRC. Surely that means you need to have logged onto the machine to get the command line to do any damage?
            Will work inside IR35. Or for food.

            Comment


              #7
              Originally posted by VectraMan View Post
              But bash is a command line IIRC. Surely that means you need to have logged onto the machine to get the command line to do any damage?
              I think the exploit can give extra privs in the manner of the old Emacs exploit.

              Comment


                #8
                Does Apache really "use" bash?

                Wouldn't it be easy to configure the httpd user to use a more primitive, albeit more limited, shell such as "sh" or "ksh"?
                Work in the public sector? Read the IR35 FAQ here

                Comment


                  #9
                  Originally posted by Bunk View Post


                  I'm no sandal-wearing Linux expert but isn't it part of the OS, not the web server?
                  CGI uses the system shell, which is usually bash. One nice (?) demo I saw last night involved changing the User-Agent header on a request. When processed by a vulnerable web server (e.g. one running PHP-as-CGI, or one with a cgi-bin script that parsed request headers) it allowed execution of arbitrary shell commands on the server.

                  Comment


                    #10
                    Originally posted by VectraMan View Post
                    But bash is a command line IIRC. Surely that means you need to have logged onto the machine to get the command line to do any damage?
                    The web server is running as a logged-on user (usually something like www:www or apache:apache). It allows you to run arbitrary commands with the same privileges as that user, which is clearly a Bad Thing. In particular, even if the web server user is restricted to certain commands, it allows you to override those restrictions, and run whatever you like with a simple request to port 80.

                    If this was combined with a zero-day privilege escalation vulnerability within bash, then the bad guys could root a server with nothing more than a single request using curl. Not good

                    Comment

                    Working...
                    X