[RndTbl] bash + procmail vulnerabilities

Gilbert E. Detillieux gedetil at cs.umanitoba.ca
Fri Sep 26 10:55:55 CDT 2014


On 26/09/2014 2:40 AM, Trevor Cordes wrote:
> On 2014-09-25 Gilbert E. Detillieux wrote:
>> I have another host, with some CGI scripts that have names of the
>> form */cgi-bin/*.sh, and those URL's are seeing a lot of attempts
>> (all failed as well).  I guess they've got lists of potential target
>> URL's to try, and anything ending in ".sh" is going to be
>> irresistible!
>
> For sure someone must have compiled existing web-server lists to
> rapidly exploit zero-day http vectors.  I'm actually a bit surprised
> that a) they did that and b) my measly SMB site is on the list.
...
> Besides CGI which by its nature must pass the ENV, it looks like the
> number of http-vector cases may be limited.

There's a good overview video from SANS on the subject...

https://www.youtube.com/watch?v=W7GaVyzkCs0

It explains a quick way to find potentially vulnerable scripts, using a 
Google search...

filetype:sh inurl:cgi-bin site:example.com

... which, of course, is exactly what the script kiddies are now doing 
(minus the site: tag) to target potential bash scripts.

It also briefly mentions other potentially exploitable vectors, such as 
ssh running restricted shells/scripts, and DHCP (not easily exploited, 
but can get you root access).

-- 
Gilbert E. Detillieux		E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group	Web:	http://www.muug.mb.ca/
PO Box 130 St-Boniface		Phone:  (204)474-8161
Winnipeg MB CANADA  R2H 3B4	Fax:    (204)474-7609


More information about the Roundtable mailing list