Mobile app version of vmapp.org
Login or Join
Sims2060225

: Will /sbin/nologin Protect Apache from Bash Exploit CVE-2014-6271 It was announced widely today (September 24, 2014) that it is possible to manipulate environment variables to execute approximately

@Sims2060225

Posted in: #Apache #Webserver

It was announced widely today (September 24, 2014) that it is possible to manipulate environment variables to execute approximately arbitrary code on *nix systems where Bash is the default shell. seclists.org/oss-sec/2014/q3/650
Per the article above, CGI scripts are a major attack vector because CGI variables attached to a URL are presented to the Common Gateway Interface as environment variables, i.e. the server process (Apache in my case) puts the CGI parameters into the environment.

On my particular installation, Apache has a default shell of /sbin/nologin/ although the default system shell is /bin/bash.

Can such a system be exploited in the manner described? Alternatively, how can I test it?

(I know I need to replace the Bash shell ASAP; that turns out to be a big deal because of some customization.)

(If this should be migrated to ServerFault, please do so; I put it here because the question is specific to web server programs, and especially Apache.)

Edit: Not the answer, but it may help others; it looks like disabling mod_cgi will mitigate the problem, at least somewhat. securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Sims2060225

1 Comments

Sorted by latest first Latest Oldest Best

 

@Heady270

Specifying /sbin/nologin as the login shell for the Apache user does not prevent Apache from launching bash. It only prevents logins with the user that is meant to only run the webserver.

You might be interested in How do I secure Apache against the Bash Shellshock vulnerability? from the security StackExchange site. It suggests some workarounds like running apache in a chroot environment with a patched version of bash. Even if you can't replace bash everywhere, you might be able to do so for Apache.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme