Thought I'd forward on an email I wrote to one of my technical lists as there is a lot of vague information out there at the moment.
--David KI6ZHD
Hey Everyone,
At first, I thought this issue was going to be pretty narrow for sites who still use CGI, etc. Looking more, I found this good summary page which shows it to be a rather large attack surface:
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.ht... -- What else? Oh, of course: the impact of this bug is an interesting story all in itself. At first sight, the potential for remote exploitation should be limited to CGI scripts that start with #!/bin/bash and to several other programs that explicitly request this particular shell. But there's a catch: on a good majority of modern Linux systems, /bin/sh is actually a symlink to /bin/bash!
This means that web apps written in languages such as PHP, Python, C++, or Java, are likely to be vulnerable if they ever use libcalls such as popen() or system(), all of which are backed by calls to /bin/sh -c '...'. There is also some added web-level exposure through #!/bin/sh CGI scripts, <!--#exec cmd="..."> calls in SSI, and possibly more exotic vectors such as mod_ext_filter. --
This page nicely shows one line scripts of how to demonstrate if you're vulnerable and if not, what is the expected output:
https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-...
Big providers running tools like Cpanel, etc are going to get caught up and there are several bots already exploiting this. Unfortunately, even with the newest patches available say at http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ things aren't completely resolved. This list seems to have the newest details on the issue from the primary developers so it needs to be monitored until a new patch makes it upstream:
http://www.openwall.com/lists/oss-security/2014/09/26/
Patch 0.26 is still not released which is required to completely close these holes. According to the above email list, this is turning out to be a much larger problem!
--David