Hacker News new | ask | show | jobs
by bodyfour 4288 days ago
It won't be as simple as scanning all IP4 space because for most vulnerable hosts you still will need to know a URL of a cgi program that can cause bash to be executed (either because they're written in shell or, more likely, that there is some path found that can cause popen()/system()/etc to be called) If you read Robert Graham's blog post about his scan for this (posted to HN earlier today) he mentioned that the hosts he found by just looking at the root URL are probably a tiny subset of what's really out there.

What we'll probably see is lots of blackhats looking at common CGI-based packages, finding a way to provoke an exploit using that, and then doing an IPv4 scan exploiting just that one. There will also be a long-tail of people mounting more directed attacks against URLs they suspect are CGI based.
1 comments
patio11 4288 days ago
I think you underestimate attack vectors. d6c477a79ea7a633c2bb0e358e32399c1b18eb7d <-- Will ruin 1+ HNers' day sooner rather than later if they don't patch. Successful exploit doesn't require the exploit writer even knowing that vector existed to say nothing of successfully guessing a URL.
link
janlin1999 4288 days ago
What does "d6c477a79ea7a633c2bb0e358e32399c1b18eb7d" mean?

Also, I'm learning about this and am primarily concerned about the possibility of remote exploits -- if a web server returns 404 for an invalid URL, how does the attack vector work if the exploit writer does not successfully guess a URL? Thanks.

link
fr4 4288 days ago
It is probably a SHA hash of a one-liner proof of concept that he has that he doesn't want to reveal as yet, but wants to prove that he was talking about at a later date.
link
djb_hackernews 4288 days ago
Take for example your favorite web app server, rails, django, etc. whatever it may be. (Not saying these are necessarily exploitable, but potentially)

Now imagine that for EVERY request, no matter if it is a valid path or not, one of the things it does is load all of the headers for the request into bash variables...

link
drzaiusapelord 4288 days ago
>Successful exploit doesn't require the exploit writer even knowing that vector existed to say nothing of successfully guessing a URL.

I'm not following. My CGI application is at example.com/stuff/cgi/webapp

So now the attack doesn't need to append /stuff/cgi/webapp? It can just point to example.com? How does that work?

link