Re: [Haserl-users] Are Haserl-mediated CGIs vulnerable to Shellshock?
Brought to you by:
nangel
Menu
▾
▴
Re: [Haserl-users] Are Haserl-mediated CGIs vulnerable to Shellshock?
|
From: Nathan A. <na...@us...> - 2014-09-27 19:16:05
|
Daniel,
If you are really using bash, then unfortunately you are vulnerable.
To test, use curl to add a bogus header:
curl -H 'X-SHELLSHOCK: () { :; }; /usr/bin/touch /tmp/owned'
http://example.com/haserl.cgi
In my case, haserl.cgi is:
#!/usr/bin/haserl --shell=/bin/bash
<%
echo -e "Content-type: text/plain\r\n\r\n"
env
if [ -e /tmp/owned ]; then
echo "vulnerable"
rm /tmp/owned
fi
%>
In my testing, the cgi segfaulted (mini_httpd) or returned a 500 error
(lighttpd), but the /tmp/owned file was created - so that on subsequent
requests (without the -H option) the last line of the cgi was "vulnerable".
> Like many (most?) Haserl users, our company uses it to build embedded web CGIs by having it invoke a shell script using the default /bin/sh. /bin/sh, of course, is actually bash, which is in the news these days as the latest black hat vector.
Debian and ubuntu use "dash" as the /bin/sh shell. I think its only
user accounts that specifically get bash
Run 'ls -l /bin/sh'
to see what your systems use. That's why I had to explicitly specify
the shell in the cgi. When I use the default /bin/sh on ubuntu, the
attack fails.
|