Originally posted by johnc
View Post
No, it would not break into arbitrary Apache configuration. But if you use CGI scripts, that's a problem. Some people did simple global scan and found about 3000 servers which suffer from this problem even on GET / request. Sure, it takes bad luck. However smarter attacks would do more harm. Say, CPanel would suffer from this problem. At least about 30 000 another servers to pwn for h4x0rz. Hosting companies will have bad day today. It is hard to even predict how many servers will get compromised. I can estimate it is quite a lot.
Then you can use ssh to do some jobs. You can limit job to single command, etc to keep risks at minimum. Yet it can turn out these restrictions are nuff void and such SSH session can be upgraded to fully featured interactive session.
But my favorite would be DHCP pwnage. You've got IP in this net? Okay, DHCP owner possibly got root in your system already. So you would really want to update it. That's what I call real pwnage.
I bet there could be zillions of less obvious examples. All it takes is ability of external user to set environment variable to desired value somewhere. Since these are often used to exchange parameters and bash is quite common on the way, its even hard to predict how and where it would backfire.
And attempts to downplay serious security problem like this is like smoking on barrel of gunpowder. Sure, sometimes you can go unharmed. But quite often it just blows up.
Comment