2 Comments

  1. Liviu
    Author

    CUM SE POATE EXPLOATA VIA HTTP (ma gandesc cu groaza la toate firmware-urile de CPE-uri care folosesc CGI-uri):

    So far, HTTP requests to CGI scripts have been identified as the major
    attack vector.
    A typical HTTP request looks like this:
    GET /path?query-param-name=query-param-value HTTP/1.1
    Host: http://www.example.com
    Custom: custom-header-value
    The CGI specification maps all parts to environment variables. With
    Apache httpd, the magic string “() {” can appear in these places:
    * Host (“www.example.com”, as REMOTE_HOST)
    * Header value (“custom-header-value”, as HTTP_CUSTOM in this example)
    * Server protocol (“HTTP/1.1”, as SERVER_PROTOCOL)

    The user name embedded in an Authorization header could be a vector as
    well, but the corresponding REMOTE_USER variable is only set if the
    user name corresponds to a known account according to the
    authentication configuration, and a configuration which accepts the
    magic string appears somewhat unlikely.
    In addition, with other CGI implementations, the request method
    (“GET”), path (“/path”) and query string
    (“query-param-name=query-param-value”) may be vectors, and it is
    conceivable for “query-param-value” as well, and perhaps even
    “query-param-name”.

    SURSA: http://seclists.org/oss-sec/2014/q3/649

  2. Liviu
    Author

    CUM SE POATE EXPLOATA VIA SSH:

    I’ve just confirmed that the issue can be exploited via OpenSSH setting
    SSH_ORIGINAL_COMMAND:

    $ ssh -o ‘rsaauthentication yes’ 0 ‘() { ignored; }; /usr/bin/id’
    uid=500(sandbox) gid=500(sandbox) groups=500(sandbox)
    Received disconnect from 127.0.0.1: Command terminated on signal 11.

    This is with command=”set” in .ssh/authorized_keys for the key being
    used. (Without the “; /usr/bin/id” portion, the command prints the
    environment variables, including SSH_ORIGINAL_COMMAND being the function
    with just “ignored” in its body.) As we can see, the command runs, and
    moreover in this case bash happened to segfault after having run “id”.

    SURSA: http://seclists.org/oss-sec/2014/q3/649

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.