Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 21 replies
  • Subscribers 4 subscribers
  • Views 8305 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bash security vulnerbility

thefuzz4
Hey Everyone,

With the new news (SHELL SHOCK: Bash bug blows holes in Unix, Linux, OS X systems) about the bash shell today do we know if and when Sophos is going to release a patch for this?  

I apologize if I'm posting this in the wrong section but well none of the other sections looked like this belonged in there.  Thanks.


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to alozzy
    On UTM 9.x, httpd runs in chrooted jail. Nevertheless, CGI is enabled in WebAdmin and bash is the default shell for httpd processes. 

    utm:/root # grep -i cgi `find /var/sec/chroot-httpd/ -name '*.conf' 2> /dev/null`

    /var/sec/chroot-httpd/etc/httpd/vhost/httpd-webadmin.conf:    Options Followsymlinks ExecCGI

    /var/sec/chroot-httpd/etc/httpd/vhost/httpd-webadmin.conf:    AddHandler fcgid-script .plx

    /var/sec/chroot-httpd/etc/httpd/httpd.conf[:D]irectoryIndex index.plx redirect.cgi

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:# mod_fcgid

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:LoadModule fcgid_module /usr/libexec/apache2/mod_fcgid.so

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidMaxProcesses 10

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidMaxRequestLen 536870912

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidBusyTimeout 60

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidErrorScanInterval 60

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidConnectTimeout 60

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidIOTimeout 60

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidSpawnScoreUpLimit 100

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidMaxProcessesPerClass 100

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidSpawnScore 0

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidTerminationScore 0

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidIPCDir /tmp/sock

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:FcgidProcessTableFile /tmp/fcgid_shm

    /var/sec/chroot-httpd/etc/httpd/httpd.conf:AddHandler cgi-script .pl .cgi .plc

    

    utm:/root # ps aufxe | grep -E "^wwwrun" | head -1 | sed -r "s/ /\n/g" | grep -E "^SHELL="

    SHELL=/bin/sh

    

    utm:/root # ls -l /var/sec/chroot-httpd/bin/*sh*

    -rwxr-xr-x 1 root root 554984 Sep  9 16:12 /var/sec/chroot-httpd/bin/bash

    lrwxrwxrwx 1 root root      4 Sep  9 16:12 /var/sec/chroot-httpd/bin/sh -> bash


    UTM 9.206 includes vulnerable bash: 

    loginuser@utm:/home/login > export VAR1='() { ignored; }; /usr/bin/id'

    loginuser@utm:/home/login > bash

    uid=100(loginuser) gid=100(users) groups=100(users)

    loginuser@utm:/home/login >


    Still hoping that mod_fcgid, unlike mod_cgi, does not use shell as a "glue". I've not yet examined sources.
  • 0 in reply to ondrej.holas
    What about the DHCP client ?
Unfiltered HTML