Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:"could be worse than Heartbleed" (Score 1) 318

by jpvlsmv (#48005225) Attached to: Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild
Bash is still executed even with the multi-argument call to system.

The file /usr/bin/xzgrep is a shell script (note the #!/usr/bin/bash as the first line of the file). It inherits the CGI environment variables from its parent process, in this case the Perl interpreter. And since some of those CGI environment variables are controlled by the attacker (such as the Referrer: and Cookie: headers) the arbitrary code is executed.

And Bash is even executed when you open(INFILE, "/usr/bin/xzgrep error /var/log/my.log|","r") -- because the thing you're running isn't an ELF executable, it's a #!/usr/bin/bash text file.

Yes, there are other ways to do this (call xz directly without the xzgrep wrapper, use IO::Compress::xz, etc).

Comment: Re:"could be worse than Heartbleed" (Score 4, Interesting) 318

by jpvlsmv (#47997629) Attached to: Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Ok, perhaps I undermined the importance, but if you are using 'xzgrep' in cgi context in a serious situation, I would say that is still a mistake. Forking and execing in response to an http request is terrible performance wise before getting to the security dubious of it all.

The dhclient-script stuff is pretty significant and I think I would be in a weak position saying that those have no business execing system commands/scripts. However it does suggest it may be worthwhile to have a helper that is non-root with capabilities to allow it to do key stuff to limit it's ability.

# run under mod_perl
print "Content-Type: text/plain\n\n";
system("/usr/bin/xzgrep error /var/log/my.log");

Can you see how this prefectly secure quick CGI to find errors in your log file would result in a system compromise?

Comment: Re:"could be worse than Heartbleed" (Score 5, Insightful) 318

by jpvlsmv (#47995761) Attached to: Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild
Except for the system "utilities" that are actually bash scripts, such as /usr/bin/xzgrep. These are vulnerable to inheriting malicious environment variables from the parent processes even if the overlying process is not a shell script.

The other reasonable vector is the use of environment variables set by your dhcp client before running /etc/sysconfig/if-up.d/* based on whatever is contained in the first DHCPOFFER packet it receives.

Comment: Re:Full Disclosure can be found on oss-security... (Score 1) 399

by jpvlsmv (#47993641) Attached to: Remote Exploit Vulnerability Found In Bash
In addition, ANY CGI that calls out to the system may call something that is actually a bash script even if it doesn't look like one.

For example, xzgrep on my Ubuntu system is a bash script, so this is vulnerable:
print("Content-type: text/plain\n\n");
system("xzgrep info /var/log/mylog.xz");

Comment: Tax patents/royalties to fund basic research (Score 4, Interesting) 348

by jpvlsmv (#47873499) Attached to: When Scientists Give Up
I heard this piece on NPR yesterday, and the thing that kept running through my mind is how the pharmaceutical industry is extorting huge profits based on fundamental research-- with much of that happening under NIH grants. Why not set a tax rate on drug patent royalties and use that to fund the NIH?

You have a multi-billion-dollar-sales patented drug? Chip in 0.5% of the revenue to fund NIH grants. Or make your own equivalent grants to truly independant researchers.

Enter into a licensing deal on a drug patent? Chip in 0.5% of the revenue to fund grants.

Comment: Re:The important thing (Score 1) 167

by jpvlsmv (#47837117) Attached to: Scientists Sequence Coffee Genome, Ponder Genetic Modification

Isolate out the caffiene genes, and start adding it to other plants. There are times I'm eating breakfast, and I'm thinking "Why am I only getting caffiene from the coffee? Buzz up them hashbrowns! Perk up that toast! If we can introduce it into animals, think about caffinated eggs, or butter, or cheese. We can finally jitter up the world.

To heck with that, splice that gene into a retrovirus, and let me caffeinate every cell in my body!

Comment: Re:Blue Screen of Death... (Score 4, Funny) 239

You're right, officer, Clippy should not have been driving.

Now, what to do when my Explorer crashes...

Click on the Start button, go to "All Programs", then go to "Brakes", right-click on the "Apply Brakes" button, and choose "Run as Administrator". After the 15-second splash screen (now with Ads by Bing), choose "Decelerate Safely".

You scratch my tape, and I'll scratch yours.