httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Bash CVE-2014-6271 and CGI / HTTPD
Date Wed, 24 Sep 2014 21:15:17 GMT
Am 24.09.2014 um 22:21 schrieb Rainer Jung:
> Am 24.09.2014 um 22:15 schrieb Rainer Jung:
>> Am 24.09.2014 um 20:20 schrieb Eric Covener:
>>>
>>> On Wed, Sep 24, 2014 at 1:48 PM, Paul Querna <paul@querna.org
>>> <mailto:paul@querna.org>> wrote:
>>>
>>>     Thoughts?  Is it reasonable to do something in mod_cgi{d} to improve
>>>     the situation?
>>>
>>>
>>> ‚ÄčI don't think so, even if we tried to figure out the interpreter, it
>>> could run _anything_ else that is interpreted by bash.
>>>
>>> But an announcement might be helpful to users.
>>
>> One could try to sanitize env var contents in ap_create_environment()
>> though. Currently we do sanitize variable names there. But there's no
>> generally good pattern for the value sanitizing.
>>
>> There's just a known one for this specific vulnerability, which might
>> break CGIs expecting content which is only problematic for broken bash.
>> So the sanitizing would be a workaround patch, which would only be
>> useful for people who can not quickly update their bash but can update
>> their web server. Not very likely but also not unthinkable of.
>>
>> The exploit is said to be any env var value looking like
>>
>> () { something }; problematicPart
>>
>> So for instance optionally removing any semicolon from values would
>> help, but also likely break common values. I don't know, whether
>> removing "()" would suffice, or if an exploit could also contain
>> whitespace or even other chars between "(" and ")". Otherwise optionally
>> removing "()" would help.
>
> The common recipes only work with a leading "()" in the variable value.
> So removing "()" from the variable value if it starts with these two
> chars would stop the problem.

A workaround like

--- server/util_script.c.orig   2013-09-14 14:12:54.000000000 +0000
+++ server/util_script.c        2014-09-24 20:35:54.952054361 +0000
@@ -128,6 +128,12 @@
              }
              ++whack;
          }
+        /* Sanitize leading "()" because of CVE-2014-6271 bash exploit */
+        whack++;
+        if (*whack++ == '(' && *whack == ')') {
+            *whack-- = '_';
+            *whack = '_';
+        }
          ++j;
      }

seems to work.

It is not a general purpose fix though, because it will break CGI apps, 
that actually use env vars with values starting with "()".

>> The problem might also apply to SSI and other interfaces that can set
>> environment variables, like maybe FCGI and SCGI (if they later trigger
>> bash calls somewhere down their handling chain).

These are *not* handled by the above patch, because they don't use 
ap_create_environment().

Regards,

Rainer

Mime
View raw message