[Pywps-dev] [wurlug] CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands

Jachym Cepicky jachym.cepicky at gmail.com
Sun Sep 28 08:49:34 PDT 2014 

Hi,

please everybody, who is using PyWPS and is calling some command line
programs (such as grass modules), make sure, you update your BASH
installation.

PyWPS tries to check for proper data inputs, such as Integers or float
numbers. Also pre-defined allowedValues list should work well for string
data. Also PyWPS tries to determine some potencial dangerous characters
(";" for example), but if you are allowing clients to send  *any* type of
string data, double check, it could not be misused on the server side

if you are using just python bindings to your libraries, it should be
probably all right

Jachym

2014-09-25 10:03 GMT+02:00 Jorge Samuel Mendes de Jesus <
jorge.mendesdejesus at wur.nl>:

>
> Hi Jachym
>
>
> This could be serious problems for pywps. Since lots of people use bash.
> Do you have some URL that we can test it ??? I got a new desktop and have
> nothings installed
>
> J.
>
>
>
> -------- Forwarded Message --------  Subject: Re: [wurlug] CVE-2014-6271
> bash: specially-crafted environment variables can be used to inject shell
> commands  Date: Thu, 25 Sep 2014 09:42:29 +0200  From: Pjotr Prins
> <pjotr.public11 at thebird.nl> <pjotr.public11 at thebird.nl>  Reply-To: Unix
> at WUR (Wageningen University Research Center Linux User Group)!
> <wurlug at lists.nluug.nl> <wurlug at lists.nluug.nl>  To: Unix at WUR
> (Wageningen University Research Center Linux User Group)!
> <wurlug at lists.nluug.nl> <wurlug at lists.nluug.nl>
>
>   https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/09/24/bash-shellshock-vulnerability
>
> Also may work for Perl/Pyhton/Ruby cgi. Suspect firewall
> configurators, database management and status scripts too. Test
>
> telnet into port 80. Assuming your cgi script is at /cgi-bin/um.pl, type
> the following in the telnet prompt:
>
>   GET /cgi-bin/um.pl HTTP/1.1
>   Host: localhost
>   Custom: () { :; }; while read -r l; do echo $l; done
>
> Press ENTER twice after the last header.
>
> the command is executed server-side.
>
> (lifted from slashdot).
>
> My servers are not vulnerable (I have avoided CGI for a long time and ssh is
> restricted and throttled), but my routers do run CGI. Worth checking. They appear
> to be fine without authenticated login.
>
> Pj.
>
> On Thu, Sep 25, 2014 at 05:50:19AM +0000, Haarst, Jan van wrote:
> > Very, very bad news, update/harden your servers as soon as possible :
> >
> > https://access.redhat.com/security/cve/CVE-2014-6271
> > http://seclists.org/oss-sec/2014/q3/650 :
> >
> >
> > The technical details of the vulnerability follow.
> >
> > Bash supports exporting not just shell variables, but also shell
> > functions to other bash instances, via the process environment to
> > (indirect) child processes.  Current bash versions use an environment
> > variable named by the function name, and a function definition
> > starting with ???() {??? in the variable value to propagate function
> > definitions through the environment.  The vulnerability occurs because
> > bash does not stop after processing the function definition; it
> > continues to parse and execute shell commands following the function
> > definition.  For example, an environment variable setting of
> >
> >   VAR=() { ignored; }; /bin/id
> >
> > will execute /bin/id when the environment is imported into the bash
> > process.  (The process is in a slightly undefined state at this point.
> > The PATH variable may not have been set up yet, and bash could crash
> > after executing /bin/id, but the damage has already happened at this
> > point.)
> >
> > The fact that an environment variable with an arbitrary name can be
> > used as a carrier for a malicious function definition containing
> > trailing commands makes this vulnerability particularly severe; it
> > enables network-based exploitation.
> >
> >
> >
> > So far, HTTP requests to CGI scripts have been identified as the major
> > attack vector.
> >
> > A typical HTTP request looks like this:
> >
> > GET /path?query-param-name=query-param-value HTTP/1.1
> > Host: www.example.com<http://www.example.com> <http://www.example.com>
> > Custom: custom-header-value
> >
> > The CGI specification maps all parts to environment variables.  With
> > Apache httpd, the magic string ???() {??? can appear in these places:
> >
> > * Host (???www.example.com<http://www.example.com> <http://www.example.com>???, as REMOTE_HOST)
> > * Header value (???custom-header-value???, as HTTP_CUSTOM in this example)
> > * Server protocol (???HTTP/1.1???, as SERVER_PROTOCOL)
> >
> > The user name embedded in an Authorization header could be a vector as
> > well, but the corresponding REMOTE_USER variable is only set if the
> > user name corresponds to a known account according to the
> > authentication configuration, and a configuration which accepts the
> > magic string appears somewhat unlikely.
> >
> > In addition, with other CGI implementations, the request method
> > (???GET???), path (???/path???) and query string
> > (???query-param-name=query-param-value???) may be vectors, and it is
> > conceivable for ???query-param-value??? as well, and perhaps even
> > ???query-param-name???.
> >
> > The other vector is OpenSSH, either through AcceptEnv variables, TERM
> > or SSH_ORIGINAL_COMMAND.
> >
> > Other vectors involving different environment variable set by
> > additional programs are expected.
> >
> >
> > --
> > Jan van Haarst
> > Assistant Researcher Bioinformatics
> > Applied Bioinformatics
> > Wageningen UR, Plant Research International
> > P.O Box 619, 6700 AP, Wageningen, the Netherlands
> > Wageningen Campus, Building 107, Droevendaalsesteeg 1, 6708 PB, Wageningen, the Netherlands
> > ++31-317480756
> > callto://jvhaarst
> > www.pri.wur.nl<http://www.pri.wur.nl/> <http://www.pri.wur.nl/>
> > www.appliedbioinformatics.wur.nl<http://www.appliedbioinformatics.wur.nl/> <http://www.appliedbioinformatics.wur.nl/>
> > www.disclaimer-uk.wur.nl<http://www.disclaimer-uk.wur.nl/> <http://www.disclaimer-uk.wur.nl/>
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Wurlug mailing list
> > Wurlug at lists.nluug.nl
> > http://lists.nluug.nl/mailman/listinfo/wurlug
> _______________________________________________
> Wurlug mailing listWurlug at lists.nluug.nlhttp://lists.nluug.nl/mailman/listinfo/wurlug
>
>
>
>


-- 
Jachym Cepicky
e-mail: jachym.cepicky gmail com
URL: http://les-ejk.cz
GPG: http://les-ejk.cz/pgp/JachymCepicky.pgp

Give your code freedom with PyWPS - http://pywps.wald.intevation.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/pywps-dev/attachments/20140928/2686260e/attachment.html>

More information about the pywps-dev mailing list