Author Archives: meme

shellshock bash horror and Apache

Also referred to as CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187, the now infamous shellshock flaw refers to Bash being able to blindly run commands inside specially crafted environment variables.

Just run env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
env var='() {(a)=>\' bash -c "echo vulnerable"; cat echo.
If in the output you find the word vulnerable, then you are.

A few of the identified attack vectors are:

  • ForceCommand of OpenSSH;
  • Apache with mod_cgi or mod_cgid;
  • DHCP invoking shell scripts to configure clients;
  • And possibly many other.

    What I want to focus on here is Apache and mod_cgi, because that seems the most exposed vector of attack and because nobody actually mentions the dependencies for this attack to be successful.

    As a note, at the moment there is conflicting information on whether this affects mod_php with exec functions enabled. Quoting from PHP scripts executed with mod_php are not affected even if they spawn subshells.
    But I haven’t tested this myself as of yet.

    In order to make this work under mod_cgi you would need to meet the following conditions:

  • a script which spawns a shell, like #!/bin/bash or by using popen(), exec, shell_exec etc;
  • that same script parsed by mod_cgi (by default it executes only extensions with .cgi, as defined by AddHandler cgi-script .cgi);
  • have the script publicly discoverable – possibly through Google dorking for /bin/bash.
  • blocked because of many connection errors-Haproxy-MySQL

    Host ‘somehost’ is blocked because of many connection errors; unblock with ‘mysqladmin flush-hosts’

    The cache contains information about errors that occur during the connection process. Some errors are considered “blocking.” If too many of these occur successively from a given host without a successful connection, the server blocks further connections from that host. The max_connect_errors system variable determines the number of permitted errors before blocking occurs.

    Read more about host cache.

    To unblock the host use:
    mysqladmin flush-hosts
    To get rid of the blocks, set in my.cnf:

    galera my.cnf

    user = root
    port = 3306
    datadir = /var/lib/mysql
    tmpdir = /tmp
    lc-messages-dir = /usr/share/mysql
    #log_error = /var/log/mysql/error.log
    #log_slow_queries = /var/log/mysql/mysql-slow.log
    #long_query_time = 3
    bind-address =
    max_connections = 400
    max_allowed_packet = 16M
    myisam-recover = BACKUP

    wsrep_provider = /usr/lib64/galera/
    wsrep_cluster_name = "galera-cluster"
    wsrep_node_name = "node1-"
    wsrep_cluster_address = "gcomm://,"
    wsrep_provider_options = "gcache.dir=/var/lib/mysql;gcache.size=512M;gcache.mem_size=256M"
    wsrep_replicate_myisam = ON
    wsrep_slave_threads = 4

    #thread_concurrency = 10
    #log-bin = mysql-bin
    binlog_format = ROW #must be set
    #expire_logs_days = 2
    #max_binlog_size = 512M
    query_cache_type = 0 #according to the doc, query cache should not be used
    #query_cache_size = 0
    #query_cache_limit = 32M
    #query_cache_min_res_unit = 128
    #thread_stack = 256K
    #thread_cache_size = 350
    #table_open_cache = 30000
    #key_buffer_size = 128M
    #sort_buffer_size = 512K
    #myisam_sort_buffer_size = 512K
    #read_buffer_size = 256K
    #read_rnd_buffer_size = 512K
    #join_buffer_size = 1M
    #bulk_insert_buffer_size = 16M
    #myisam_sort_buffer_size = 8M
    #tmp_table_size = 64M
    #max_heap_table_size = 64M
    #innodb_buffer_pool_size = 2G
    #innodb_buffer_pool_instances = 4
    innodb_flush_log_at_trx_commit=2 #must be set
    #innodb_read_io_threads = 4
    #innodb_write_io_threads = 4
    #innodb_thread_concurrency = 4
    #innodb_log_file_size = 5M
    #innodb_log_buffer_size = 32M
    #innodb_file_per_table = 1
    #innodb_stats_on_metadata = 0
    #innodb_open_files = 400
    #innodb_io_capacity = 400
    innodb_autoinc_lock_mode = 2 #must be set