26 Sep
2014
26 Sep
'14
5:38 p.m.
On 9/26/2014 1:34 PM, Robbie De Lise wrote:
Due to a bug in bash it is possible to run shell
commands as root through
environmental variables (env).
It's my understanding that the code would be executed as the user of the
service in which the exploit was launched through (this is not
necessarily limited to web servers, as KI6ZHD correctly mentions). So,
for a HTTP-based attack, if your web server is running as 'nobody' or
'apache', the code will execute with those user permissions. Hopefully
people aren't running their web servers as root.
I've had to patch quite a few machines over the past couple of days; a
few of the older versions had to be taken care of with a compiler. As
more complete patches are released, I guess I'll be doing it all over again.
In the meantime, may all your boxen stay clean and stable!
73,
Brett, WA7V