<div dir="ltr"><span style="font-family:Arial;font-size:13px">> .sh scripts are evil and should never be run via the web. .sh are backend</span><span style="font-family:Arial;font-size:13px"> tools.</span><div><br></div><div>This came out today... A remotely exploitable vulnerability has been discovered in bash on Linux. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables.<br><br><a href="http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html">http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 22, 2014 at 1:23 PM, <span dir="ltr"><<a href="mailto:nejuje6tpztluvolq@nym.hush.com" target="_blank">nejuje6tpztluvolq@nym.hush.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span style="font-family:Arial;font-size:13px"><span style="font-family:Arial;font-size:13px">Here is a new server.sh<br><br>#!/bin/sh<br>echo '<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >'<br>echo 'Hello world'<br><br>And running local:<br><br>tools.ext-lnk-discover@tools-login:~/www/cgi-bin$ ./server.sh<br><meta http-equiv="Content-Type" content="text/html;charset=utf-8" ><br>Hello world<br>tools.ext-lnk-discover@tools-login:~/www/cgi-bin$<br><br>Same problem.<br><br><blockquote style="border-left:solid 1px #ccc;margin-left:10px;padding-left:10px">---------- Forwarded message ----------<br>Date: Mon, 22 Sep 2014 15:12:01 -0400<br>From: John <<a href="mailto:phoenixoverride@gmail.com" target="_blank">phoenixoverride@gmail.com</a>><br>Reply-To: Wikimedia Labs <<a href="mailto:labs-l@lists.wikimedia.org" target="_blank">labs-l@lists.wikimedia.org</a>><br>To: Wikimedia Labs <<a href="mailto:labs-l@lists.wikimedia.org" target="_blank">labs-l@lists.wikimedia.org</a>><br>Subject: Re: [Labs-l] Shell scripts and CGI on Tools<br><br>What happens when you execute the fcgi script from the terminal. Also note<br>you need to send header info to form the HTML output<br><br>On Mon, Sep 22, 2014 at 3:09 PM, <<a href="mailto:nejuje6tpztluvolq@nym.hush.com" target="_blank">nejuje6tpztluvolq@nym.hush.com</a>> wrote:<br><br>> File perms are OK<br>><br>> tools.ext-lnk-discover@tools-login:~/www$ ls -ld cgi-bin/<br>> drwxrwsr-x 2 tools.ext-lnk-discover tools.ext-lnk-discover 4096 Sep 22<br>> 18:13 cgi-bin/<br>><br>> tools.ext-lnk-discover@tools-login:~/www/cgi-bin$ ls -l<br>> -rwxr-xr-x 1 tools.ext-lnk-discover tools.ext-lnk-discover 29 Sep 21 21:54<br>> server.sh<br>><br>> I'm using server.sh as a simple test case to report this bug. The problem<br>> exists for Perl scripts also. And there are other accounts on Tools using<br>> .sh via CGI see for example<br>><br>> /data/project/catmonitor/.lighttpd.conf<br>><br>> --<br>> GreenC<br>><br>><br>> On 9/22/2014 at 2:56 PM, "John" <<a href="mailto:phoenixoverride@gmail.com" target="_blank">phoenixoverride@gmail.com</a>> wrote:<br>><br>> .sh scripts are evil and should never be run via the web. .sh are backend<br>> tools. I would look into either php or python. If you use python I can lend<br>> a hand. Otherwise Look at file permissions 403 typcially means that the<br>> webservice cannot read the file<br>><br>> On Mon, Sep 22, 2014 at 2:36 PM, <<a href="mailto:nejuje6tpztluvolq@nym.hush.com" target="_blank">nejuje6tpztluvolq@nym.hush.com</a>> wrote:<br>><br>>> Hello,<br>>><br>>> I've been trying to get this to work for days and am running out of<br>>> ideas.<br>>><br>>> Attempting to accomplish something simple: Run a /bin/sh script via CGI<br>>><br>>> The script is called server.sh and contains this:<br>>><br>>> #!/bin/sh<br>>> echo "Hello World<br>"<br>>><br>>> It resides in /data/project/ext-lnk-discover/public_html/cgi-bin/server.sh<br>>><br>>> The .lighttpd.conf is<br>>><br>>> debug.log-request-handling = "enable"<br>>> static-file.exclude-extensions += ( ".sh" )<br>>> $HTTP["url"] =~ "^cgi-bin" {<br>>> cgi.assign = ( "" => "" )<br>>> }<br>>><br>>><br>>> <a href="http://tools.wmflabs.org/ext-lnk-discover/cgi-bin/server.sh" target="_blank">http://tools.wmflabs.org/ext-lnk-discover/cgi-bin/server.sh</a><br>>><br>>> returns "403 Forbidden"<br>>><br>>> The Lighttpd error.log is long, located in<br>>> /data/project/ext-lnk-discover/error.log, but the last two lines:<br>>><br>>> 2014-09-22 18:10:19: (mod_compress.c.683) -- handling file as static file<br>>> 2014-09-22 18:10:19: (mod_staticfile.c.389) -- NOT handling file as<br>>> static file, extension forbidden<br>>><br>>> This would suggest .sh extension is the problem, but I changed the name<br>>> to .fcgi or whatever doesn't matter get the same error.<br>>><br>>> Maybe I need to use FCGI? New .lighttpd.conf:<br>>><br>>> fastcgi.server += ( "/" =><br>>> ((<br>>> "socket" => "/tmp/ext-lnk-discover-server.sock",<br>>> "bin-path" =><br>>> "/data/project/ext-lnk-discover/public_html/cgi-bin/server.sh",<br>>> "check-local" => "disable",<br>>> "max-procs" => 1,<br>>> ))<br>>> )<br>>><br>>> Error.log now shows:<br>>><br>>> 2014-09-22 18:21:20: (mod_fastcgi.c.1104) the fastcgi-backend<br>>> /data/project/ext-lnk-discover/public_html/cgi-bin/server.sh failed to<br>>> start:<br>>> 2014-09-22 18:21:20: (mod_fastcgi.c.1108) child exited with status 0<br>>> /data/project/ext-lnk-discover/public_html/cgi-bin/server.sh<br>>> 2014-09-22 18:21:20: (mod_fastcgi.c.1111) If you're trying to run your<br>>> app as a FastCGI backend, make sure you're using the FastCGI-enabled<br>>> version.<br>>> If this is PHP on Gentoo, add 'fastcgi' to the USE flags.<br>>> 2014-09-22 18:21:20: (mod_fastcgi.c.1399) [ERROR]: spawning fcgi failed.<br>>> 2014-09-22 18:21:20: (server.c.938) Configuration of plugins failed.<br>>> Going down.<br>>><br>>> (this happens on webserver restart)<br>>><br>>> ------------<br>>><br>>> I've tried other scripts: bash, Perl and csh with same results.<br>>><br>>> I'm beginning to think the problem is security, perhaps a jailed shell on<br>>> the Grid? Any help appreciated!<br>>> Thanks,<br>>> GreenC<br>>><br>>> _______________________________________________<br>>> Labs-l mailing list<br>>> <a href="mailto:Labs-l@lists.wikimedia.org" target="_blank">Labs-l@lists.wikimedia.org</a><br>>> <a href="https://lists.wikimedia.org/mailman/listinfo/labs-l" target="_blank">https://lists.wikimedia.org/mailman/listinfo/labs-l</a><br>>><br>>><br>><br>> _______________________________________________<br>> Labs-l mailing list<br>> <a href="mailto:Labs-l@lists.wikimedia.org" target="_blank">Labs-l@lists.wikimedia.org</a><br>> <a href="https://lists.wikimedia.org/mailman/listinfo/labs-l" target="_blank">https://lists.wikimedia.org/mailman/listinfo/labs-l</a><br>><br>></blockquote></span></span><br>_______________________________________________<br>
Labs-l mailing list<br>
<a href="mailto:Labs-l@lists.wikimedia.org">Labs-l@lists.wikimedia.org</a><br>
<a href="https://lists.wikimedia.org/mailman/listinfo/labs-l" target="_blank">https://lists.wikimedia.org/mailman/listinfo/labs-l</a><br>
<br></blockquote></div><br></div>