CGI::Application and recent bash security hole
Bill Moseley
moseley at hank.org
Thu Sep 25 21:33:57 BST 2014
I did a very quick test today using mod_perl running as my own user.
Maybe you could try something similar.
I'm running on CentOS where it is vulnerable:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
In my mod_perl script I added:
system( '/bin/bash -c env >> /home/bill/env.bash' );
system( '/bin/env >> /home/bill/env.env' );
I also included a "print STDERR Dumper \%ENV;" in the mod_perl script. I'm
using "SetHandler perl-script" to build the CGI environment.
Dumping \%ENV I could see all the CGI environment variables in the Apache
log, but env.out and env.bash didn't contain any of the CGI environment
vars.
I also added a header to my request to attempt to use the exploit:
$req->header( Referer => '() { :; }; echo oops >> /home/bill/oops.txt' );
And that file didn't show up, either.
I'm not quite clear where (or sure that) the environment is getting
scrubbed.
On Thu, Sep 25, 2014 at 9:59 AM, Sue Spence <virtuallysue at gmail.com> wrote:
> Is your system shell bash? Does your application have any code which shells
> out to that (system(), ``, qx() etc)? If so, then probably yes.
>
>
> On 25 September 2014 14:52, gvim <gvimrc at gmail.com> wrote:
>
> > I built a site several years ago with CGI::Application which runs in cgi,
> > not psgi mode. Is it likely to be vulnerable to the recent bash security
> > hole which I understand revolves around setting ENV variables?
> >
> > gvim
> >
>
--
Bill Moseley
moseley at hank.org
More information about the london.pm
mailing list