Defending against shell shock
I started writing a longer post about the so-called shell shock, with analysis of what makes a web server vulnerable or secure. Or, strictly speaking, not a webserver, but a platform an attacker might access through a web server. But I’m not sure when I’ll find time to do justice to that, so here’s the short announcement:
I’ve updated mod_taint to offer an ultra-simple defence against the risk of shell shock attacks coming through Apache HTTPD, versions 2.2 or later. A new simplified configuration option is provided specifically for this problem:
LoadModule taint_module modules/mod_taint.so Untaint shellshock
mod_taint source and documentation are at http://people.apache.org/~niq/mod_taint.c and http://people.apache.org/~niq/mod_taint.html respectively.
Here’s some detail from what I posted earlier to the Apache mailinglists:
Untaint works in a directory context, so can be selectively enabled for potentially-vulnerable apps such as those involving CGI, SSI, ExtFilter, or (other) scripts.
This goes through all Request headers, any PATH_INFO and QUERY_STRING, and (just to be paranoid) any other subprocess environment variables. It untaints them against a regexp that checks for “()” at the beginning of a variable, and returns an HTTP 400 error (Bad Request) if found.
Feedback welcome, indeed solicited. I believe this is a simple but sensible approach to protecting potentially-vulnerable systems, but I’m open to contrary views. The exact details, including the shellshock regexp itself, could probably use some refinement. And of course, bug reports!
Posted on September 26, 2014, in apache, linux, security and tagged apache, shellshock. Bookmark the permalink. 4 Comments.
Bash shell itself looks for “() {” at start of every environment variable before invoking the broken code.
Thus I think you could be more specific without reducing effectiveness, which would reduce false positives.
Bit late to the party.
That pingback only just reached me, although the blog piece (like mine) looks much older.
The piece that links to here states incorrectly that While it is correct that I updated mod_taint, it is not correct to say that Apache did so. This is not an official Apache module, it is merely a module written by an Apache developer (me). It isn’t backed by the community as a whole, it doesn’t benefit from the same level of scrutiny as a core module, or resources such as the bug tracker.
If I recollect aright I offered to contribute it to the project, but there was no real interest. Reasons are lost in the mists of time, but I suspect those needing its functionality use more comprehensive third-party solutions such as mod_security or ironbee.
Pingback: Don’t let anyone shock your shells - Security Research Blog - Security - Micro Focus Community
Pingback: Don’t let anyone shock your shells - Security Research Blog - Security