> So, do you mean that ksh93 does not have the vulnerability? http://lists.research.att.com/pipermail/ast-developers/2014q3/003964.html
On Tue, Sep 30, 2014 at 10:02 AM, Bob Friesenhahn < [email protected]> wrote: > On Tue, 30 Sep 2014, Jim Klimov wrote: > >> >> Maybe a stupid question on my side (sorry i'm overwhelmed with relocation >> and other life events), but how really is this bug exploitable? Especially >> on Solaris and illumos systems with sh/ksh by default and assumed no >> scripted CGI (hosts of native or java sourced web-code though) ? >> > > It is readily exploitable for web CGI scripts which provide/export values > provided by the web server and remote client as environment variables. The > "CGI" paradigm has thoroughly permiated web application infrastructures. > The exploit requires that bash be executed with the problematic environment > variables already set. Service applications obtained from Linux often > require bash in order to run. > > On my own systems, the only service I found which was suspect was 'git' > and 'gitweb.cgi' since the 'git' implementation depends on many shell > scripts, which specifically depend on bash. > > For example, this is output from the test-cgi script provided with Apache: > > CGI/1.0 test script report: > > argc is 0. argv is . > > SERVER_SOFTWARE = Apache/2.0.63 (Unix) DAV/2 > SERVER_NAME = www.simplesystems.org > GATEWAY_INTERFACE = CGI/1.1 > SERVER_PROTOCOL = HTTP/1.1 > SERVER_PORT = 80 > REQUEST_METHOD = GET > HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*; > q=0.8 > PATH_INFO = > PATH_TRANSLATED = > SCRIPT_NAME = /cgi-bin/test-cgi > QUERY_STRING = > REMOTE_HOST = > REMOTE_ADDR = 65.66.245.66 > REMOTE_USER = > AUTH_TYPE = > CONTENT_TYPE = > CONTENT_LENGTH = > > and this is output from a Perl script called 'printenv' which prints > everything made available: > > DOCUMENT_ROOT="/html" > GATEWAY_INTERFACE="CGI/1.1" > HTTP_ACCEPT="text/html,application/xhtml+xml, > application/xml;q=0.9,*/*;q=0.8" > HTTP_ACCEPT_ENCODING="gzip, deflate" > HTTP_ACCEPT_LANGUAGE="en-US,en;q=0.5" > HTTP_CONNECTION="keep-alive" > HTTP_HOST="www.simplesystems.org" > HTTP_USER_AGENT="Mozilla/5.0 (X11; SunOS i86pc; rv:30.0) Gecko/20100101 > Firefox/30.0" > PATH="/usr/sbin:/usr/bin" > QUERY_STRING="" > REMOTE_ADDR="65.66.245.66" > REMOTE_PORT="53877" > REQUEST_METHOD="GET" > REQUEST_URI="/cgi-bin/printenv" > SCRIPT_FILENAME="/var/apache2/cgi-bin/printenv" > SCRIPT_NAME="/cgi-bin/printenv" > SERVER_ADDR="65.66.246.89" > SERVER_ADMIN="[email protected]" > SERVER_NAME="www.simplesystems.org" > SERVER_PORT="80" > SERVER_PROTOCOL="HTTP/1.1" > SERVER_SIGNATURE="<address>Apache/2.0.63 (Unix) DAV/2 Server at > www.simplesystems.org Port 80</address>\n" > SERVER_SOFTWARE="Apache/2.0.63 (Unix) DAV/2" > TZ="US/Central" > UNIQUE_ID="rExdoEFC9koAAEJpoxgAAAAJ" > > -- > Bob Friesenhahn > [email protected], http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > http://openindiana.org/mailman/listinfo/openindiana-discuss > _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
