[RndTbl] bash + procmail vulnerabilities
Gilbert E. Detillieux
gedetil at cs.umanitoba.ca
Fri Sep 26 10:55:55 CDT 2014
On 26/09/2014 2:40 AM, Trevor Cordes wrote:
> On 2014-09-25 Gilbert E. Detillieux wrote:
>> I have another host, with some CGI scripts that have names of the
>> form */cgi-bin/*.sh, and those URL's are seeing a lot of attempts
>> (all failed as well). I guess they've got lists of potential target
>> URL's to try, and anything ending in ".sh" is going to be
>> irresistible!
>
> For sure someone must have compiled existing web-server lists to
> rapidly exploit zero-day http vectors. I'm actually a bit surprised
> that a) they did that and b) my measly SMB site is on the list.
...
> Besides CGI which by its nature must pass the ENV, it looks like the
> number of http-vector cases may be limited.
There's a good overview video from SANS on the subject...
https://www.youtube.com/watch?v=W7GaVyzkCs0
It explains a quick way to find potentially vulnerable scripts, using a
Google search...
filetype:sh inurl:cgi-bin site:example.com
... which, of course, is exactly what the script kiddies are now doing
(minus the site: tag) to target potential bash scripts.
It also briefly mentions other potentially exploitable vectors, such as
ssh running restricted shells/scripts, and DHCP (not easily exploited,
but can get you root access).
--
Gilbert E. Detillieux E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group Web: http://www.muug.mb.ca/
PO Box 130 St-Boniface Phone: (204)474-8161
Winnipeg MB CANADA R2H 3B4 Fax: (204)474-7609
More information about the Roundtable
mailing list