Mailing List Archive

On Sep 25, 2014, at 7:31 PM, D. J. Bernstein <djb@cr.yp.to> wrote:

> In case anyone hasn't heard, there's an amazing bash bug known as
> "shellshock" that executes arbitrary environment variables as code:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
>
> There are many ways for attackers to pass information into environment
> variables via ssh, apache, qmail, et al. My recommendations are to
>
> * upgrade bash and
> * change /bin/sh to something simpler (such as dash), if you're on a
> system that uses bash as /bin/sh.
>
> If you've manually copied shells into chroot environments then you
> should make sure to upgrade those copies as well.
>
> ---Dan

I didn’t know about this. Red Hat has released updated versions of Bash on 9-24-14

Thank you so much

Kristen

On Thu, 25 Sep 2014, Kristen R wrote:

> On Sep 25, 2014, at 7:31 PM, D. J. Bernstein <djb@cr.yp.to> wrote:
>
>> In case anyone hasn't heard, there's an amazing bash bug known as
>> "shellshock" that executes arbitrary environment variables as code:
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
>>
>> There are many ways for attackers to pass information into environment
>> variables via ssh, apache, qmail, et al. My recommendations are to
>
> I didn't know about this. Red Hat has released updated versions of Bash
> on 9-24-14

All,

I was able to exploit "shellshock"-vulnerable bash via qmail in my lab.
I could execute arbitrary commands in the context of any user that has a
.qmail utilizing program delivery (e.g., |/path/to/some/program). Common
uses of program delivery in .qmail are procmail, ezmlm, etc.

While it is only exploitable because of this bash bug, I think that qmail
should do some additional input validation. I sent Dan an email around
4pm EDT Thursday about this.

This is relatively easy to exploit if you know how qmail uses environment
variables.

To echo what Dan said, patch your bash NOW.

--
Kyle George

On Fri, 26 Sep 2014 02:52:29 -0400 (EDT)
Kyle George wrote:

> To echo what Dan said, patch your bash NOW.

If you opt to move to a simpler shell then Don't forget to convert
any bashisms in any scripts. I remember having to do this for some
qmail addons.

But only if |/path/to/some/program points to a program written in Bash, right?

--
Luciano ES
>>
**************************
On Fri, 26 Sep 2014 02:52:29 -0400 (EDT), Kyle George wrote:

> On Thu, 25 Sep 2014, Kristen R wrote:
>
> > On Sep 25, 2014, at 7:31 PM, D. J. Bernstein <djb@cr.yp.to> wrote:
> >
> >> In case anyone hasn't heard, there's an amazing bash bug known as
> >> "shellshock" that executes arbitrary environment variables as code:
> >>
> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
> >>
> >> There are many ways for attackers to pass information into
> >> environment variables via ssh, apache, qmail, et al. My
> >> recommendations are to
> >
> > I didn't know about this. Red Hat has released updated versions of
> > Bash on 9-24-14
>
> All,
>
> I was able to exploit "shellshock"-vulnerable bash via qmail in my
> lab. I could execute arbitrary commands in the context of any user
> that has a .qmail utilizing program delivery (e.g.,
> |/path/to/some/program). Common uses of program delivery in .qmail
> are procmail, ezmlm, etc.
>
> While it is only exploitable because of this bash bug, I think that
> qmail should do some additional input validation. I sent Dan an
> email around 4pm EDT Thursday about this.
>
> This is relatively easy to exploit if you know how qmail uses
> environment variables.
>
> To echo what Dan said, patch your bash NOW.
>

On Fri, 26 Sep 2014, Luciano ES wrote:

> But only if |/path/to/some/program points to a program written in Bash, right?

Unfortunately no. Qmail invokes /bin/sh -c regardless. I was able to
exploit it when my .qmail contained nothing other than "|cat".

When qmail (in qmail-local.c) sees "|/path/to/some/program" (program
delivery) in .qmail it runs /bin/sh -c /path/to/some/program. On systems
where /bin/sh is bash (lots of Linux), and the bash has not been patched,
you are vulnerable regardless of the program used in .qmail.

If your .qmail just contains a mailbox or a forwarding address, you are
not directly vulnerable.

--
Kyle George

Thus said Kyle George on Fri, 26 Sep 2014 02:52:29 -0400:

> I was able to exploit "shellshock"-vulnerable bash via qmail in my
> lab.

In what way were you able to ``exploit'' this? Were you able to elevate
privileges via qmail-smtpd? Were you able to elevate privileges via
.qmail? Were you able to cause another user to run a program that was
not intended to be run via their .qmail?

> I could execute arbitrary commands in the context of any user that has
> a .qmail utilizing program delivery (e.g., |/path/to/some/program).

Are you saying that a user who is in control of his own .qmail file is
able to run programs from the .qmail file? Or is it more serious than
that?

Thanks,

Andy
--
TAI64 timestamp: 4000000054259973

On Fri, 26 Sep 2014, Andy Bradford wrote:

> Thus said Kyle George on Fri, 26 Sep 2014 02:52:29 -0400:
>
>> I was able to exploit "shellshock"-vulnerable bash via qmail in my
>> lab.
>
> In what way were you able to ``exploit'' this? Were you able to elevate
> privileges via qmail-smtpd? Were you able to elevate privileges via
> .qmail? Were you able to cause another user to run a program that was
> not intended to be run via their .qmail?

The latter. I could cause any user with a .qmail containing any program
delivery to execute a command of my choosing. And if that user is
privileged or a sudoer ...

>> I could execute arbitrary commands in the context of any user that has
>> a .qmail utilizing program delivery (e.g., |/path/to/some/program).
>
> Are you saying that a user who is in control of his own .qmail file is
> able to run programs from the .qmail file? Or is it more serious than
> that?

I think I answered this above? It doesn't matter what is in the .qmail as
long as there is at least one use of program delivery to any program. I
was able to explolit it with just "|cat" in my .qmail.

I will provide a more detailed writeup soon. I want to give people a
chance to patch. However, this is fairly easy to exploit so I don't think
that waiting will be all that effective. So perhaps later today.

--
Kyle George

On Friday 26 Sep 2014 13:49:38 Kyle George wrote:
> On Fri, 26 Sep 2014, Andy Bradford wrote:
> > Thus said Kyle George on Fri, 26 Sep 2014 02:52:29 -0400:
> >> I was able to exploit "shellshock"-vulnerable bash via qmail in my
> >> lab.
> >
> > In what way were you able to ``exploit'' this? Were you able to elevate
> > privileges via qmail-smtpd? Were you able to elevate privileges via
> > .qmail? Were you able to cause another user to run a program that was
> > not intended to be run via their .qmail?
>
> The latter. I could cause any user with a .qmail containing any program
> delivery to execute a command of my choosing. And if that user is
> privileged or a sudoer ...
> ...

Rather than speculate on how bad the vulnerability is before patching it, I'd
suggest patching it and exploring this issue afterwards, esp. since it's very
easy to patch: If you're on a mainstream Linux just 'apt-get install bash' or
'yum update bash' is sufficient (some suggest then running '/sbin/ldconfig' for
good measure - that seems to be superfluous).

cheers,

Andrew.
--
====================================================================
* Custom email solutions * Systems Administration * Networking
http://www.acrconsulting.co.uk/email/qmail.html
====================================================================

Geachte heer, mevrouw,

Hartelijk dank voor uw e-mail. Binnen 2 werkdagen ontvangt u van ons een reactie op uw vraag of klacht.

Dit is een automatische ontvangstbevestiging. Wilt u meer informatie? Kijk dan op ING.nl of bel ons op 020 22 88 888. U kunt ons bereiken van maandag tot en met vrijdag van 8.00 uur tot 21.00 uur en op zaterdag van 9.00 tot 17.00 uur.

Met vriendelijke groet,

Klantenservice
ING Bank N.V

-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------