[Labs-l] Shell scripts and CGI on Tools

Bryan White bgwhite at gmail.com
Wed Sep 24 20:46:12 UTC 2014


> .sh scripts are evil and should never be run via the web. .sh are backend
 tools.

This came out today...  A remotely exploitable vulnerability  has been
discovered in bash on Linux.  The major attack vectors that have been
identified in this case are HTTP requests and CGI scripts. Another attack
surface is OpenSSH through the use of AcceptEnv variables.

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

On Mon, Sep 22, 2014 at 1:23 PM, <nejuje6tpztluvolq at nym.hush.com> wrote:

> Here is a new server.sh
>
> #!/bin/sh
> echo '<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >'
> echo 'Hello world'
>
> And running local:
>
> tools.ext-lnk-discover at tools-login:~/www/cgi-bin$ ./server.sh
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
> Hello world
> tools.ext-lnk-discover at tools-login:~/www/cgi-bin$
>
> Same problem.
>
> ---------- Forwarded message ----------
> Date: Mon, 22 Sep 2014 15:12:01 -0400
> From: John <phoenixoverride at gmail.com>
> Reply-To: Wikimedia Labs <labs-l at lists.wikimedia.org>
> To: Wikimedia Labs <labs-l at lists.wikimedia.org>
> Subject: Re: [Labs-l] Shell scripts and CGI on Tools
>
> What happens when you execute the fcgi script from the terminal. Also note
> you need to send header info to form the HTML output
>
> On Mon, Sep 22, 2014 at 3:09 PM, <nejuje6tpztluvolq at nym.hush.com> wrote:
>
> > File perms are OK
> >
> > tools.ext-lnk-discover at tools-login:~/www$ ls -ld cgi-bin/
> > drwxrwsr-x 2 tools.ext-lnk-discover tools.ext-lnk-discover 4096 Sep 22
> > 18:13 cgi-bin/
> >
> > tools.ext-lnk-discover at tools-login:~/www/cgi-bin$ ls -l
> > -rwxr-xr-x 1 tools.ext-lnk-discover tools.ext-lnk-discover 29 Sep 21
> 21:54
> > server.sh
> >
> > I'm using server.sh as a simple test case to report this bug. The problem
> > exists for Perl scripts also. And there are other accounts on Tools using
> > .sh via CGI see for example
> >
> > /data/project/catmonitor/.lighttpd.conf
> >
> > --
> > GreenC
> >
> >
> > On 9/22/2014 at 2:56 PM, "John" <phoenixoverride at gmail.com> wrote:
> >
> > .sh scripts are evil and should never be run via the web. .sh are backend
> > tools. I would look into either php or python. If you use python I can
> lend
> > a hand. Otherwise Look at file permissions 403 typcially means that the
> > webservice cannot read the file
> >
> > On Mon, Sep 22, 2014 at 2:36 PM, <nejuje6tpztluvolq at nym.hush.com> wrote:
> >
> >> Hello,
> >>
> >> I've been trying to get this to work for days and am running out of
> >> ideas.
> >>
> >> Attempting to accomplish something simple: Run a /bin/sh script via CGI
> >>
> >> The script is called server.sh and contains this:
> >>
> >> #!/bin/sh
> >> echo "Hello World<br>"
> >>
> >> It resides in
> /data/project/ext-lnk-discover/public_html/cgi-bin/server.sh
> >>
> >> The .lighttpd.conf is
> >>
> >> debug.log-request-handling = "enable"
> >> static-file.exclude-extensions += ( ".sh" )
> >> $HTTP["url"] =~ "^cgi-bin" {
> >> cgi.assign = ( "" => "" )
> >> }
> >>
> >>
> >> http://tools.wmflabs.org/ext-lnk-discover/cgi-bin/server.sh
> >>
> >> returns "403 Forbidden"
> >>
> >> The Lighttpd error.log is long, located in
> >> /data/project/ext-lnk-discover/error.log, but the last two lines:
> >>
> >> 2014-09-22 18:10:19: (mod_compress.c.683) -- handling file as static
> file
> >> 2014-09-22 18:10:19: (mod_staticfile.c.389) -- NOT handling file as
> >> static file, extension forbidden
> >>
> >> This would suggest .sh extension is the problem, but I changed the name
> >> to .fcgi or whatever doesn't matter get the same error.
> >>
> >> Maybe I need to use FCGI? New .lighttpd.conf:
> >>
> >> fastcgi.server += ( "/" =>
> >> ((
> >> "socket" => "/tmp/ext-lnk-discover-server.sock",
> >> "bin-path" =>
> >> "/data/project/ext-lnk-discover/public_html/cgi-bin/server.sh",
> >> "check-local" => "disable",
> >> "max-procs" => 1,
> >> ))
> >> )
> >>
> >> Error.log now shows:
> >>
> >> 2014-09-22 18:21:20: (mod_fastcgi.c.1104) the fastcgi-backend
> >> /data/project/ext-lnk-discover/public_html/cgi-bin/server.sh failed to
> >> start:
> >> 2014-09-22 18:21:20: (mod_fastcgi.c.1108) child exited with status 0
> >> /data/project/ext-lnk-discover/public_html/cgi-bin/server.sh
> >> 2014-09-22 18:21:20: (mod_fastcgi.c.1111) If you're trying to run your
> >> app as a FastCGI backend, make sure you're using the FastCGI-enabled
> >> version.
> >> If this is PHP on Gentoo, add 'fastcgi' to the USE flags.
> >> 2014-09-22 18:21:20: (mod_fastcgi.c.1399) [ERROR]: spawning fcgi failed.
> >> 2014-09-22 18:21:20: (server.c.938) Configuration of plugins failed.
> >> Going down.
> >>
> >> (this happens on webserver restart)
> >>
> >> ------------
> >>
> >> I've tried other scripts: bash, Perl and csh with same results.
> >>
> >> I'm beginning to think the problem is security, perhaps a jailed shell
> on
> >> the Grid? Any help appreciated!
> >> Thanks,
> >> GreenC
> >>
> >> _______________________________________________
> >> Labs-l mailing list
> >> Labs-l at lists.wikimedia.org
> >> https://lists.wikimedia.org/mailman/listinfo/labs-l
> >>
> >>
> >
> > _______________________________________________
> > Labs-l mailing list
> > Labs-l at lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/labs-l
> >
> >
>
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/labs-l/attachments/20140924/ae66f3d6/attachment.html>


More information about the Labs-l mailing list