29 сентября 2014 г. 17:46:20 CEST, Jason Matthews <[email protected]> пишет: >paraphrasing "Joshua" from "WarGames," bash is a strange game where the >only winning move is not to play. > >J. > >Sent from my iPhone > >> On Sep 29, 2014, at 2:43 AM, "Udo Grabowski (IMK)" ><[email protected]> wrote: >> >> As predicted, there's more bash horror (Score 11....): > >_______________________________________________ >openindiana-discuss mailing list >[email protected] >http://openindiana.org/mailman/listinfo/openindiana-discuss
Maybe a stupid question on my side (sorry i'm overwhelmed with relocation and other life events), but how really is this bug exploitable? Especially on Solaris and illumos systems with sh/ksh by default and assumed no scripted CGI (hosts of native or java sourced web-code though) ? I mean, from what I gather, the bug allows to execute unexpected code with credentials of the user that executes bash. On a local system someone should already have a login to do that (or a hacked backdoor), so may have other means for doing mischief. Can it be used to elevate? How? Via config files for root-executed initscripts and cronjobs? If these are editable by a random untrustworthy user, the system is already busted without the bug... I kinda get the point about web-scripts especially where system programs can be called with the default shell of the webserver account (bash for some), although did not really grasp from cursory looks at the articles just how the env-function can be passed via http requests to do the exploit. Let's assume it can be done... as protection/precaution, would it suffice to make sure that apache's and such do not use bash in their /etc/passwd fields (and restart the daemons)? Also, did anyone (beside Oracle) already build and publish a replacement SUNWbash for legacy Solaris 8-10 systems? ;) Thanks, Jim -- Typos courtesy of K-9 Mail on my Samsung Android _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
