2

A server with vulnerable bash, but cgi enabled only and there are no cgi scripts in cgi-bin. Is it still exploitable ??

If there are scripts in cgi-bin and only server-admin knows about filenames of scripts in cgi-bin. Is it exploitable by attacker?

How can attacker get to know about names of scripts in cgi-bin?
What are the default script names present in most cgi-enabled servers?

rubo77
  • 2,390
  • 10
  • 29
  • 49
jonny789
  • 149
  • 1
  • 4
  • I read that it might also work if the server side scripts (e.g. php) call an external program, bash may get called (e.g. a system command for ImageMagick or for sendmail). – rubo77 Sep 29 '14 at 08:04

1 Answers1

1

You don't mention which server; is it Apache? At the moment, it appears that an attacker must be able to cause a CGI program to run in order to exploit the vulnerability. Having no CGI scripts would seem to offer some protection. Removing mod_cgi from httpd.conf would offer more:

a2dismod cgi
apache2ctl graceful

The second part of your question relies on security by obscurity, which is always a bad idea.

Here's a list of potential CGI scripts/programs: https://docs.google.com/document/d/1vN2QOG2OZIAHGXDmd5wB8FPi-Hin2GaIlWRJ0RYkTbA/edit I didn't compile this list, and have not attempted to vet it for completeness.

rubo77
  • 2,390
  • 10
  • 29
  • 49
Bob Brown
  • 5,323
  • 1
  • 20
  • 29
  • How would you have to check your server against this list? – rubo77 Sep 29 '14 at 07:47
  • https://shellshock.detectify.com/ will do it for you. (I haven't vetted this.) – Bob Brown Sep 29 '14 at 07:58
  • https://shellshock.detectify.com/ will iterate over a list of possible cgi-URLs until it finds a vulnerable end-point where it will inject a harmless payload. – rubo77 Sep 29 '14 at 09:51